Question regarding Sandboxed programs that attempt to delete

Utilities designed for use with Sandboxie
HappyUser

Question regarding Sandboxed programs that attempt to delete

Post by HappyUser » Fri Sep 19, 2008 6:37 pm

Hi all,

I was wondering if there is a feature someplace that I have overlooked that preserves files that are targetted by the sandboxed program for deletion?

IE: whatever the file creates, if it tries to delete it later, the "deleted" file should go to a recycle bin or something in the sandbox. I wish to preserve all files created during the sandboxed programs run. Including any files the host program tries to purge.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sat Sep 20, 2008 3:08 am


raid
Posts: 58
Joined: Sat Aug 23, 2008 12:17 am
Location: TN, USA
Contact:

Post by raid » Mon Sep 22, 2008 3:11 am

Damn, I was the one who posted as HappyUser as I was away from my home computer at the time...

The reason I wanted the feature is the same as yours Buster. I have gone so far as to tell sandboxie that my entire documents and settings folder is available for quickrecovery upon something trying to delete. When testing a malware sample the other night, I wasn't able to capture one of the temporary executables it drops, short of manually extracting the installer myself. Sandboxie showed the file as available for recovery, but when I tried, no file found recovered. Strange too, it would bring back others.

Anyway... It does allow me to pick a folder I can recover too. Maybe tzuk could add a box we could check for autorecover, and store the "deleted" files in the folder we picked previously?

That would accomplish our needs of preservation I suspect. As we both know the installers are using temp folders from documents and settings trees.
Everything is so different, yet I am the same...

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Sep 22, 2008 5:17 am

Any way to recover or keep deleted files would be a valid option for me too.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Sep 23, 2008 5:33 pm

I don't see Sandboxie as a malware research tool, so I'm not going to add features that are dedicated to malware research. Buster, I've already mentioned the InjectDll setting which would let you inject DLLs into sandboxed programs. All you need is to write a small DLL that hooks DeleteFile and prevent the deletion. Maybe you and guys can team up and figure out how to do that.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Sep 23, 2008 6:21 pm

tzuk wrote:I don't see Sandboxie as a malware research tool, so I'm not going to add features that are dedicated to malware research. Buster, I've already mentioned the InjectDll setting which would let you inject DLLs into sandboxed programs. All you need is to write a small DLL that hooks DeleteFile and prevent the deletion. Maybe you and guys can team up and figure out how to do that.
I understand you didn´t code Sandboxie as a malware research tool but it can be used for that purpose as I use it for other tasks. I didn´t insist in the feature because almost nobody else seemed interested on it.

I was researching the InjectDll but I was unable to do it. The DLL I coded uses a system hook which is not compatible with Sandboxie.

Personally I would not hook DeleteFile but NtSetInformationFile and then I would check if FileInformationClass is equal to FileDispositionInformation.

If anyone has any idea of how to code such DLL I´m open to collaborate with him to make it.

BobJam
Posts: 40
Joined: Tue Sep 23, 2008 7:03 am

Post by BobJam » Tue Sep 23, 2008 8:13 pm

tzuk wrote:I don't see Sandboxie as a malware research tool
But indeed it is used for that. As I see it, it's a perfect fit, though I'm not campaigning for a function to allow placement of deleted files/sessions.

I'm new to Sandboxie, so I may not even understand what raid and Buster are getting at. Nevertheless, I know many who use Sandboxie for their malware "surfing" to rate sites (a la WOT and SA). My compliments, tzuk.
BJ

Ultimately, the only protection against phishing, forged Web pages, downloading malware, and other threats is the technology located between the user's ears.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Tue Sep 23, 2008 8:22 pm

Sample DLL:

Code: Select all

#include <windows.h>

//

typedef void *(*P_SbieDll_Hook)(const char *ApiName, void *ApiFunc, void *NewFunc);

typedef BOOL (*P_DeleteFileW)(const WCHAR *Path);

//

static P_DeleteFileW pDeleteFileW = NULL;

//

static BOOL MyDeleteFileW(const WCHAR *Path)
{
    const WCHAR *dot = wcsrchr(Path, L'.');
    if (dot && _wcsicmp(dot, L".txt") == 0) {
        MessageBoxW(NULL, Path, L"Intercepted", MB_OK);
        SetLastError(0);
        return TRUE;
    } else
        return pDeleteFileW(Path);
}

//

BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH) {

        MessageBoxW(NULL, L"Started", L"InjDll", MB_OK);
    }

    if (dwReason == DLL_PROCESS_ATTACH) {

        HMODULE SbieDll = GetModuleHandleW(L"SbieDll.dll");
        P_SbieDll_Hook SbieDll_Hook = (P_SbieDll_Hook)
                    GetProcAddress(SbieDll, "_SbieDll_Hook@12");

        HMODULE Kernel32 = GetModuleHandleW(L"Kernel32.dll");
        pDeleteFileW = (P_DeleteFileW)
                    GetProcAddress(Kernel32, "DeleteFileW");

        pDeleteFileW = SbieDll_Hook("DeleteFile",
                                    pDeleteFileW,
                                    MyDeleteFileW);
    }

    return TRUE;
}
Note the use of SbieDll_Hook to hook APIs, along with InjectDll, this makes it very easy for you to focus on the interception logic and not the boilerplate of injecting DLLs and rewriting APIs. But you have to run the program sandboxed, otherwise none of that works.

Now let's say you compile this into c:\temp\inj.dll, so you add a DefaultBox setting,

Code: Select all

InjectDll=c:\temp\inj.dll
Refresh configuration, start a sandboxed command prompt, type "del somefile.txt", you'll get a message box and the file will not be deleted.
Last edited by tzuk on Wed Sep 24, 2008 7:02 am, edited 1 time in total.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Sep 24, 2008 4:23 am

I compiled the DLL with lcc-win32 and I did the test but it didn´t work.

Does it work for you?

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Sep 24, 2008 7:04 am

It does work for me. I've revised the source above to include another MessageBox which appears as soon as the DLL is injected into the process. You can get my compiled DLL here:

http://www.sandboxie.com/Inj.dll

I compile with the Windows DDK compiler.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Sep 24, 2008 9:20 am

What´s the command line you use to compile?

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Sep 24, 2008 9:45 am

I use the WinDDK build tool, it runs the compiler and linker internally.
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Sep 24, 2008 10:00 am

Your DLL works fine.

I generated the DLL with Visual Studio 2008 and works too. The difference is that your DLL is 3 KB and mine over 40 KB. That´s why I was asking what command line you were using. ;-)

Thanks!

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Wed Sep 24, 2008 10:06 am

Ha, I guess the build tool knows its stuff. :) Glad the DLL is working, I'd like to hear that you got it doing what you want and that you can take back your feature request. :wink:
tzuk

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Sep 24, 2008 10:12 am

tzuk wrote:Ha, I guess the build tool knows its stuff. :) Glad the DLL is working, I'd like to hear that you got it doing what you want and that you can take back your feature request. :wink:
It almost does what I want.

Do you know if it´s possible to know (if yes, some code would be of help) what´s the file name that made the DeleteFile call?

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest