Intercept read operations

Ideas for enhancements to the software
Post Reply
Driver

Intercept read operations

Post by Driver » Sun Feb 11, 2007 9:49 pm

right now, sandboxie only intercepts right operations from the sandbox to the hard disk, right? from what i understand, it allows data to flow from the hard disk to the sandbox. is there a way to block these read operations for certain sandboxed programs? let's say i was running a keylogger inside the sandbox. the keylogger would still be able to read stuff from other running windows, capture my keystrokes, or even take screenshots. can sandboxie stop this?
Top
street011
Posts: 412
Joined: Tue Jan 16, 2007 2:08 pm

Post by street011 » Mon Feb 12, 2007 3:31 am

in theory sandboxie could partialy prevent this, but i don't think thats the purpose of sandboxie.

You could use VMWare to get somewhat closer
Top
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Feb 12, 2007 8:46 am

You can ask Sandboxie to blocks read access to some files by using the ClosedFilePath configuration setting.

Blocking key-loggers is entirely another matter entirely, discussed in this FAQ answer

And finally, you can install an outbound-filtering firewall, which could warn you if any unrecognized program is trying to send out data.
tzuk
Top
Driver

Post by Driver » Fri Feb 16, 2007 4:58 am

i actually read that portion of the FAQ, but i'm afraid i don't completely understand it. is a keylogger that is downloaded or run from inside the sandbox completely harmless then? suppose it tried to use the function getwindowtextA to read text from other nonsandboxed windows. would this function work?
Top
tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Sat Feb 17, 2007 7:38 pm

is a keylogger that is downloaded or run from inside the sandbox completely harmless then?
Not completely harmless. As long as it's active inside the sandbox, it can do what it wants. But being trapped in the sandbox, the keylogger disappears when you stop the activity in the sandbox.
suppose it tried to use the function getwindowtextA to read text from other nonsandboxed windows.
Well this isn't really related to logging keys. GetWindowText would work if the sandboxed program knows the window ID (hwnd) for the window it wants.

However, sandboxed programs don't normally see unsandboxed windows, so they have a harder time getting such window IDs.
tzuk
Top
.

Post by . » Mon Jul 30, 2007 5:11 am

i know i'm probably reviving and old thread, but i noticed that you had made some significant changes to the most recent versions of sandboxie. has this had any effect on blocking functions such as getwindowtexta that might allow an unsandboxed program to read the titles of windows that it shouldn't? if not, do you plan on implementing such functionality in the future? an example of something that uses such functions is the 'warden' in the popular mmorpg game world of warcratf (it might also do other things; i'm not sure). aside from the warden however, there might also be other malicious software that uses this same function to read window titles, or other functions to read window contents or log keystrokes that are pressed. i am not experienced enough to know exactly what functions are involved or how this might be done, but if it were possible for such monitoring activities to take place, i think it might be possible for a malicious program to call home with the information before the sandbox is cleaned out.
Top
street011
Posts: 412
Joined: Tue Jan 16, 2007 2:08 pm

Post by street011 » Mon Jul 30, 2007 11:24 am

hey .

a lot changed, sandboxie went more on a "block all but few" road, so it became safer :)
Top
Guest

Block Read Requests

Post by Guest » Fri Aug 17, 2007 3:51 pm

Has it already been requested to have reads blocked completely? For example, at work (unfortunately) our enterprise virus scanner runs randomly in the afternoon - usually when I've got a lot of stuff opened, building, deploying etc.
I can't block or uninstall it, as its a corp directive

I was curious tho if I could push it to run in the sandbox, and have it either block all reads, or just report something back minimally
So then, rather it running at 10-20% of my cpu, churning thru every file on my drive for an hour, it'll finish in 2 seconds - more or less emulating an empty hard drive, essentially scanning more or less nothing :D

Then, off hours, it'll run outside the sandbox, and scan everything when not at work
Top
wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Fri Aug 17, 2007 4:05 pm

Does the scanner have a static EXE name that is launched on-demand? If so, you should be able to do -

ForceProcess=<scanner>.exe
ClosedFilePath=<scanner>.exe,*

This should force the scanner into the sandbox and deny all file/device access. It'll either crash miserably or finish scanning instantly.

If that breaks your computer, you could try

ClosedFilePath=<scanner>.exe,\Device\Harddisk*

That should just block harddisk access.
Top
guest

too cool

Post by guest » Fri Aug 17, 2007 4:48 pm

yeah - just mcafee's enterprise edition virus scan - scan32.exe
very neat stuff
Top
Post Reply

Return to “Feature Requests”

Who is online

Users browsing this forum: No registered users and 1 guest