Block Process Access

Utilities designed for use with Sandboxie
ThantiK

Post by ThantiK » Mon Feb 16, 2009 5:07 am

When I run injtest.exe 4032 (wow.exe) I get this:
"The procedure entry point RegGetValueW could not be located in ADVAPI32.dll"

System-Wide process/thread snapshot handle:
0x00000114

Data Read from process [4032]:
0x4D5A90000300000004000000FFFF0000

Process module snapshot handle:
0x00000128

Hope this helps.

thantik
Posts: 5
Joined: Mon Feb 16, 2009 5:11 am

Post by thantik » Mon Feb 16, 2009 5:12 am

I got similar results when running injtest.exe on both sandboxed, and unsandboxed programs.

(I am running injtest within the sandbox that's supposed to be blocking these calls)

hch

Post by hch » Mon Feb 16, 2009 7:29 am

@wraithdu

I have no idea what that process is - it's strange... the ID that appears in the debug view doesn't seem to exist in either sandboxie or task manager. (I tried a few times, each time the ID doesn't exist)

regarding the latest version, explorer does run now, but it starts up with an error "The procedure entry point RegGetValueW could not be located in the dynamic link library ADVAPI32.dll". Both SandboxieRpcSs.exe and SandboxieDcomLaunch.exe are running, and the explorer window is visible and functioning

That would still be fine, except that the process blocking function does not seem to work anymore (even with other programs besides explorer.exe). I am now able to access unsandboxed processes even while inside the sandbox. Previously, the explorer.exe didn't work but the process blocking functions did.

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Feb 16, 2009 9:35 am

Turns out that registry function is not available in XP, so the DLL was not being loaded correctly. Please try v1.0.0.3 which uses an older function that is available.

hch

Post by hch » Mon Feb 16, 2009 1:08 pm

i've tried v1.0.0.3 and now there are no errors at all. However, the processes blocking function is not working (taskmanager can view unsandboxed processes, and the sandboxed processes can access unsandboxed processes).

DbgView no longer provides any useful information, only one line.

[3084] Sandboxie path: "C:\Program Files\Sandboxie\

=============================

To give an overview, here are the tried and tested results of all the versions.

v1.0.0.1 (First One)
Processes That Didn't Work - SandboxieRpcSs.exe and SandboxieDcomLaunch.exe
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)

v1.0.0.1 (Second One)
Processes That Didn't Work - SandboxieDcomLaunch.exe only
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)

v1.0.0.2
Processes That Didn't Work - All Processes Working
Explorer Functioning? - Yes (But with the error message "The procedure entry point RegGetValueW could not be located in the dynamic link library ADVAPI32.dll")
Process Reading Protected - No! (Sandboxed processes WERE ABLE TO access unsandboxed processes)

v1.0.0.3
Processes That Didn't Work - All Processes Working
Explorer Functioning? - Yes (No visible error messages)
Process Reading Protected - No! (Sandboxed processes WERE ABLE TO access unsandboxed processes)

Something must have broken the process protection between version 1.0.0.1(second one) and 1.0.0.2

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Feb 16, 2009 2:39 pm

Yeah, I'm aware of the progression of things. I just don't have an XP system to test, and Sandboxie won't install in my VirtualBox VM.

Your last results mean the DLL is not injected into the process, which is why the tests succeed/fail, depending how you look at it. The installation path to Sandboxie is found, so I don't know why yet. Try v1.0.0.4, and let's see if the sandboxie processes are enumerated correctly.

EDIT - I just noticed a " mark hiding in your output there. That might be the problem. Go ahead and test 1.0.0.4 anyway cause I want to see the output, but odds are it still won't work correctly.

thantik
Posts: 5
Joined: Mon Feb 16, 2009 5:11 am

Post by thantik » Mon Feb 16, 2009 3:33 pm

I'm getting similar results to what I posted before. Using the injtest.exe from within my sandbox, and specifying another sandboxed, as well as an unsandboxed calc.exe

I'm taking a wild guess and thinking that when it says "Data Read from Process [xxx]:" that it should be all 0's or say that it could not be read right?

I'm still getting
Data Read from process [2628]:
0x4D5A90000300000004000000FFFF0000

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Feb 16, 2009 4:39 pm

Yes, the DLL is not being loaded correctly currently. I'm working on it kinda blind without an XP testbed (until I get home tonight).
Try v1.0.0.5. I've added a routine to remove any quotes from the sandboxie path, which may have been messing things up.

thantik
Posts: 5
Joined: Mon Feb 16, 2009 5:11 am

Post by thantik » Mon Feb 16, 2009 4:50 pm

W00t (I think.)

I ran injtest.exe against calc in sandbox with the new 1.0.0.5 version...and I got:

System-Wide process/thread snapshot handle:
0xFFFFFFFF

Data Read from process [4032]:
0x000000000000000000000000000000

Process module snapshot handle:
0xFFFFFFFF

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Feb 16, 2009 4:58 pm

Good! Try running injtest against another sandboxed process in the same sandbox. The cmd.exe instance you're launching injtest from will work fine. Then try launching Windows Explorer via the Run Sandboxed menu. Running explorer was ultimately the goal here.

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Feb 16, 2009 6:55 pm

I tried out 1.0.0.5 on my XP system at home, and I can get explorer.exe to open successfully, and the process blocking works. However I can't launch any programs or files from within a sandboxed explorer or cmd prompt. I'm not sure exactly why, but it surely has to do with the blocks in place. Do you guys get the same behavior?

I also see that non-existing PID in the Dbgview log. I'm guessing it is the PID of the new process which hasn't been fully created yet. Since it doesn't really exist yet, the DLL flags it as not-sandboxed and denies access. This probably causes CreateProcess to fail. I don't know how to work around that at the moment.

But ForcedProcess works, and anything started via Start.exe works as well.

thantik
Posts: 5
Joined: Mon Feb 16, 2009 5:11 am

Post by thantik » Mon Feb 16, 2009 8:26 pm

I get
SBIE2313 - Could not execute SandboxieRpcSs.exe
and
SBIE2204 Cannot start sandboxed service RpcSs

When trying to run windows explorer.

Injtest returns the same values on sandboxed and nonsandboxed applications.

Me personally, I am fine not being able to run explorer - I figure that's the first thing something is going to try and hijack so I'll be keeping this version ;)

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Feb 16, 2009 10:06 pm

EDIT - Ok, so I finally got the errors you've described trying to run Firefox. Strange that it doesn't happen for the same programs on all systems. At this point, I don't have a solution. I have an idea for a possible cause that I'm running by tzuk in the hopes he'll have some insight. But as it is now, the DLL is functioning as designed. The key here is this unknown PID that keeps showing up in the Dbgview log and gets blocked.

I'll keep everyone posted on progress.

hch

Post by hch » Mon Feb 16, 2009 10:59 pm

hi,

I've tested out v1.0.0.5. I'm getting the same errors as thantik, "SBIE2313 - Could Not Execute SandboxieRpcSs.exe" and "SBIE2204 - Cannot Start Sandboxed Service RpcSs". All in all, the functionality seems to be similar to v1.0.0.1

Process blocking does work, but explorer does not open.

DbgView output a lot of information this time round.

Code: Select all

[7624] "C:\Program Files\Sandboxie\SbieSvc.exe"
[7624] C:\Program Files\Sandboxie\SbieSvc.exe
[7624] Sandboxie path: C:\Program Files\Sandboxie\
[7624] C:\Program Files\Sandboxie\SandboxieBITS.exe
[7624] C:\Program Files\Sandboxie\SandboxieCrypto.exe
[7624] C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
[7624] C:\Program Files\Sandboxie\SandboxieEventSys.exe
[7624] C:\Program Files\Sandboxie\SandboxieRpcSs.exe
[7624] C:\Program Files\Sandboxie\SandboxieWUAU.exe
[7624] C:\Program Files\Sandboxie\SbieCtrl.exe
[7624] C:\Program Files\Sandboxie\SbieSvc.exe
[7624] C:\Program Files\Sandboxie\Start.exe
[7624] C:\WINDOWS\explorer.exe
[7624] Target proc is not an SBIE proc.
[7624] ----------
[7624] Injected into process: [7624] C:\WINDOWS\explorer.exe
[7624] Pointers:
[7624] SbieDll_Hook: 7D22BA00
[7624] SbieApi_QueryProcess: 7D2454A0
[7624] pNtOpenProcess: 00DF0BD0                
[7624] pNtReadVirtualMemory: 00DF0BF0
[7624] pNtQuerySystemInformation: 00DF0C10
[7624] pCreateToolhelp32Snapshot: 00DF0C30                
[7624] ----------
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtReadVirtualMemory intercepted
[7624] Allowing NtReadVirtualMemory
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtOpenProcess intercepted
[7624] Target PID: 7624
[7624] Allowing NtOpenProcess
[7624] NtOpenProcess intercepted
[7624] Target PID: 7624
[7624] Allowing NtOpenProcess
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtQuerySystemInformation intercepted
[7624] Allowing NtQuerySystemInformation
[7624] NtReadVirtualMemory intercepted
[7624] IsPIDSandboxed
[7624] Target PID: 7636
[7624] BoxName: 
[7624] ImageName: 
[7624] SidString: 
[7624] SessionId: 0
[7624] Blocking NtReadVirtualMemory
v1.0.0.5
Processes That Didn't Work - SandboxieRpcSs.exe and SandboxieDcomLaunch.exe
Explorer Functioning? - No
Process Reading Protected - Yes! (Sandboxed processes could not access unsandboxed processes)

p.s. I didn't get to try out version 1.0.0.4, by the time I checked this post again it was already replaced with 1.0.0.5

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Tue Feb 17, 2009 12:33 am

Alright! v1.0.0.6 should fix the problems. Since I was finally able to reproduce it, turns out I was right in my guess. The mysterious PID is what would be SandboxieRpcSs or SandboxieDcomLaunch (depending on the error). So I added another check: if the target process tests not sandboxed (which happens with our mysterious PID), then it checks if it is a child process of the currently sandboxed process and allows the call (since all child processes of sandboxed processes are also sandboxed). Now the PID is found.

With this change I was able to get Firefox to run, explorer to run, and I was able to launch other processes from a sandboxed cmd prompt and a sandboxed explorer window.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest