cadjas.blogg.se

26 Juni 2023 - 11:25
Sbie2331 sandboxie
Allmänt
Sbie2331 sandboxie










sbie2331 sandboxie

To do that SbieDrv intercepts some ssdt and shadow ssdt apis: win32k_NtUserCallHwndParamLock It must stop some messages from sandboxed processes, windows hooks, … It must control window messages too (managed by win32k.sys). Only with this it can to control file disk access, registry, … OBJECT_TYPE ->OBJECT_TYPE_INITIALIZER-> OpenProcedure

sbie2331 sandboxie

It hooks the function pointer OpenProcedure (OB_OPEN_METHOD type) to control the access to that type of objects: Sandboxie hooks some kernel objects found in \ObjectTypes directory: token, process, thread, event, section, port and semaphore, of type “Type”. When it hooks important apis such as ZwCrateFile, ZwCreateProcess, ZwOpenKey, …, the dll stop the normal execution flow to kernel for redirecting it to SbieDrv Io Controls (if you remove all SbieDll user mode hooks with HookShark for example, you can see that the process can’t access anything). This dll is necessary to have the sandboxed processes working. SbieDll will hook all exports for all dlls into the sandboxed processes. So sandboxed processes must access system resources with Sandboxie driver Io Controls. For this reason Sandboxie will export a lot of functionality with Io Controls for accesing files, registry, … in a secure way. In addition it builds a “parallel” file system, registry, … for sandboxed processes. However Sandboxie lets some resources to the sandboxed processes. The resource access control is easy: if the process is sandboxed, access is denied, and i f the process is not sandboxed, access is granted. If the parent of a created process is sandboxed, the new process will be linked in the list of sandboxed processes too. Sandboxie driver will have a list with all sandboxed processes that must control. Sandboxie driver hooks in kernel to protect resources from sandboxed processes (it hooks kernel objects of type “Type”, ssdt, shadow ssdt).ĭriver will put a callback with PsLoadImageNotifyRoutine and PsCreateProcessNotifyRoutine to be notified when a image is loaded or a process is created. Sandboxie consists of a interface application, a service, … but we are interested in two components: SbieDrv.sys, the driver that hooks in kernel, and SbieDll.dll, the dll that is injected to the sandboxed processes. In this article I will speak about sandoxie design and I will perform a analysis from a security point of view. Some kernel registered callbacks to be notified of process creating, images loaded, … Some ssdt and shadow ssdt hooks to control window messages. Access control to kernel resources by direct hooks on kernel objects. Sandboxie is a sandbox that performs a process isolation.












Sbie2331 sandboxie
0 kommentar(er)
Om Mig: