Anti Keylogger and Clipboard monitor
Posted: Thu Nov 04, 2010 4:31 am
Thank tzuk for lots of help
SbieAKL is a dll used to block the keylogger and clipboard monitor which are sandboxed
Requires sandboxie versions: v3.46 or higher (both of 32bit and 64bit)
How to use it:
1、Put the dlls and ini file at same place, for example C:\SbieAKL
2、Edit the "sandboxie.ini" file, and add the following content for 32bit
About the ini file:
you should put the ini file at the same folder with the two dlls
In the ini file , you could see the content like below
1、About the "CONTROL" section -----Global rule
All of APIs are hooked in the dll are put under the "CONTROL" section, you could set value to "0" to turn off an API hook, if all of hooks are turned off, the sandboxed programs would not be injected by the dll
Notice:All the sandboxed programs use this control, so if you turn off an API hook, the API hook of all the sandboxed programs is turn off
2、About "EXCEPTION" section -----Exception rule
Here, you could turn off an(or some) API hook for a (or some) program, other sandboxed programs are not affected by these rules
for example:
C:\Program Files\Internet Explorer\iexplore.exe = GetKeyState,GetKeyboardState
GetKeyState and GetKeyboardState are not hooked if the injected program is iexplore.exe
Notice:if you want to add an exception rule, you should use the full path of the program
3、About "ALLOW" section -----White list
If a program is put here, it would not be injected by the dll, so there is no hook for it, Usually, you could put your trusted programs here
for example:
C:\Program Files\Internet Explorer\iexplore.exe = 1
Now IE is a trusted program
Notice:Require full path, and the value should be "1"
4、LearnMode -----Same with learn mode of HIPS
If you set it value to "1", the dll would record all of APIs used by a program, the dll will write a rule in the ini file when the program exits, when the program runs next time, the dll will not hook these APIs, So, "LearnMode" could help you make a trusted program works correctly
Notice:If you turn on the "LearnMode", please allow the sandboxed access the current ini file directly or fully
Download:
SbieAKL
SbieAKL is a dll used to block the keylogger and clipboard monitor which are sandboxed
Requires sandboxie versions: v3.46 or higher (both of 32bit and 64bit)
How to use it:
1、Put the dlls and ini file at same place, for example C:\SbieAKL
2、Edit the "sandboxie.ini" file, and add the following content for 32bit
or this for 64bitInjectDll=C:\SbieAKL\SbieAKL.dll
the content should be added under the sandbox which you want to use the dllInjectDll=C:\SbieAKL\SbieAKL.dll
InjectDll64=C:\SbieAKL\SbieAKL_64.dll
About the ini file:
you should put the ini file at the same folder with the two dlls
In the ini file , you could see the content like below
Code: Select all
[OPTION]
;when LearnMode=1, please allow the sandboxed programs access the current ini file directly or fully
LearnMode=0
[ALLOW]
[CONTROL]
GetKeyState=1
GetAsyncKeyState=1
GetKeyboardState=1
WH_KEYBOARD_LL=1
WH_KEYBOARD=1
WH_JOURNALRECORD=1
GetRawInputData=1
GetRawInputBuffer=1
RegisterHotKey=1
AttachThreadInput=1
RegisterRawInputDevices=1
SetClipboardViewer=1
GetClipboardData=1
[EXCEPTION]
All of APIs are hooked in the dll are put under the "CONTROL" section, you could set value to "0" to turn off an API hook, if all of hooks are turned off, the sandboxed programs would not be injected by the dll
Notice:All the sandboxed programs use this control, so if you turn off an API hook, the API hook of all the sandboxed programs is turn off
2、About "EXCEPTION" section -----Exception rule
Here, you could turn off an(or some) API hook for a (or some) program, other sandboxed programs are not affected by these rules
for example:
C:\Program Files\Internet Explorer\iexplore.exe = GetKeyState,GetKeyboardState
GetKeyState and GetKeyboardState are not hooked if the injected program is iexplore.exe
Notice:if you want to add an exception rule, you should use the full path of the program
3、About "ALLOW" section -----White list
If a program is put here, it would not be injected by the dll, so there is no hook for it, Usually, you could put your trusted programs here
for example:
C:\Program Files\Internet Explorer\iexplore.exe = 1
Now IE is a trusted program
Notice:Require full path, and the value should be "1"
4、LearnMode -----Same with learn mode of HIPS
If you set it value to "1", the dll would record all of APIs used by a program, the dll will write a rule in the ini file when the program exits, when the program runs next time, the dll will not hook these APIs, So, "LearnMode" could help you make a trusted program works correctly
Notice:If you turn on the "LearnMode", please allow the sandboxed access the current ini file directly or fully
Download:
SbieAKL