View Single Post
  #4  
Old 08-05-2021, 14:58
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 128
Rept. Given: 1
Rept. Rcvd 31 Times in 21 Posts
Thanks Given: 42
Thanks Rcvd at 270 Times in 85 Posts
DavidXanatos Reputation: 31
Quote:
Originally Posted by deepzero View Post
Why not just patch it out of the PE header?
Well snadboxie is not supposed to alter the unsandboxed files thats why, as a worst case workaround though I could always make a sandboxed copy of a file with the patch applied but that's not really what i want.


Quote:
why do you think it can be disabled via registry?
because I can:

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]
"MitigationOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,20,00,00,\
  00,00,00,00,00,00
"MitigationAuditOptions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,00
"EAFModules"=""
Thats what the deffender UI does when I disable it there for a given process here chrome.exe and i tested when i add such entries with reg edit they also are im effect.

as said it seams that NtCreateUserProcess is reading this location and applying the values as instructed.

So when spawning processes from within the sandbox, where I have a hook at CreateProcessInternalW I can use the unsandboxed helper service to create the required reg entries.


The only scenario that is thoroughly broken is the forces process feature, of sandboxie, where a user starts a process outside by whatever means and this process based on its name, working directory or so is to be forced into the sandbox. A worst case workaround would be to kill it when sbie notices that flag is set and re spawn it in the sandbox. Not the best of all possible solutions but if nothing else works also a viable option in the end.




Anyhow I have looked mor thoroughly into what is actually broken with all the sandboxie hooks and etc ... and it seams the low level injection mechanism is fine as well as the later sbiedll hooks, the only thing that gets broken by this mitigation are the hooks on all the ntdll syscall stubs so possibly there is a way to re architecture those hooks in a way that will work with that mitigation...
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
niculaita (08-06-2021)