The Portable Freeware Collection Forums

billon wrote: ↑Builds from xanasoft

The 'SbieDrv.sys' driver must be signed, and since the appropriate certificates are prohibitively expensive, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications flag it as potentially dangerous:
https://www.virustotal.com/gui/file/f15 ... /detection

And I have a sort of road map, currently more an unsorted collection of ideas but its a start:

Data protection:
Sandboxie is great to protect the system from malicious modifications but with default configuration it does not protect user data from being accessed and exfiltrated.
Also it dos not protect the users privacy in therms of his user name and or unique hardware information like MAC-addresses or disk serial numbers, etc...

So I would like to make programs inside the sandbox see an empty user account just called user without access to the actual users profile data, ideally when creating a sandbox the user would choose if its a regular sandbox like currently or an anonymous sandbox without personal data.
For hardware information that is a subject for later...

Networking:
Sandboxie allows to restrict network access only through the ini file and iirc not on a per process basis. Of cause one can argue that per process is pointless as the processes inside can criss cross inject dll's so if one exe in it is allowed any other can in the end to.
But here my threat model is more privacy violating applications which don't use malware tactics, i.e. programs with unwanted Telemetry baked in.
Hence I would like to add a better control over the sand boxed application's network connectivity.
Definitely some easily accessible switch for each sandbox determining if the app inside can access the LAN, WAN or neither and not to far from it exception lists per process.

On one hand why not a full blown application firewall but than one can just use a 3rd party application firewall, not sure about the right balance between functionality for those that only have the windows firewall and redundancy for those with more advanced tools.

Application Virtualization:
Sandboxie due to the basic version being restricted to one sandbox at a time, never was much about using multiple sandboxes.
I would like to develop Sandboxie more towards a software packeting tool like the old Altiris SVS was, i.e. you install your software into a set of separated boxes and when you exchange your laptop or re install your Windows because MSFT broke it again, you just copy your box repo onto the new system and continue where you left of on the old one.

One could even think about a network based synchronization feature to use the same set of applications on multiple devices, and I would implement is on a P2P basis such that you don't necessarily need a home server, although one of this QNap or Synology boxes sure might be nice.

Complete UI Rebuild:
No, No, don't worry nothing like this atrocious win 10 modern UI abomination, but something more maintainable and better looking than the current plain C with Win-Forms, something with the esthetics of windows 7 or Classic XP.
If you need an idea what UI paradigms I cherish take a look on my Task Explorer.

Not sure if I will go with C++ and Qt again, or may be I try .NET C#, but there will be a completely new UI with a ton of easily accessible options, no more messing around with ini files.

Better Analysis Infrastructure:
Sandboxie hooks a many API calls, not all of them but a ton, and what output do we get, some Error Messages and a very basic Resource Access Monitor.
I think we can do better, much better in fact, a full verbose log of all the hooked API calls and parameters, imagine ProcMon.exe on steroids, something along the lines of WinAPIOverride. I think that would be extremely useful in resolving compatibility issues.
What we would also need would be the ability to create permissive testboxes i.e. just instrument/hook a process but don't isolate it from the system. With that comparing an applications traces from a sandbox and a testbox on the same system would make finding the calls where something went wrong child's play.

On this note I think a tool that pretty much captures all API calls might be very useful for ReactOS/WINE developers, actually why not set out to add official ReactOS support to sandboxie.

Plugins or Scripting:
Sandboxie implements many hard-coded workarounds for various Applications for example search for "chrome" in the code 133 results...
IMHO we should be able to implement workarounds ideally as scripts or at least as binary plugins, such that whenever something needs fixing its not necessary to rebuild and reinstall the entire project.

Now, booth options would need in principle a complete rework of the SbieDLL. Binary plugins are definitely doable with decent performance, scripting that's a different can of worms.

Limited Driver Support:
And last something to dream about...
When playing around with WINE (which is not an emulator) I noticed that I can there in fact load a driver as long as it does not need hardware access and generally doesn't do to much.
WINE spins up a User Mode process with the necessary API for a windows driver to load and do something. That may be useful for some use cases.
Now I have no idea how much work it would be to back port that to windows and plug it into the Sandboxie infrastructure, but it definitely would be a lot of fun.
Muhahahahahaha...

Userfriendly wrote: ↑Tue Apr 14, 2020 6:49 am Interesting roadmap/ideas/plans

Sandboxie is a sandbox-based isolation software for 32- and 64-bit Windows NT-based operating systems. It creates a sandbox-like isolated operating environment in which applications can be run or installed without permanently modifying local & mapped drives or the windows registry. An isolated virtual environment allows controlled testing of untrusted programs and web surfing.

Added
•added option to alter reported Windows version "OverrideOsBuild=7601" for Windows 7 SP1
• the trace log can now be structured like a tree with processes as root items and threads as branches

Changed
• SandboxieCrypto now always migrates the CatRoot2 files in order to prevent locking of real files
• greatly improved trace log performance
• MSI Server can now run with the "FakeAdminRights=y" and "DropAdminRights=y" options
-- special service allowance for the MSI Server can be disabled with "MsiInstallerExemptions=n"
• changed SCM access check behaviour; non elevated users can now start services with a user token
-- elevation is now only required to start services with a system token
• reworked the trace log mechanism to be more verbose
• reworked RPC mechanism to be more flexible

Fixed
• fixed issues with some installers introduced in 5.48.0
• fixed "add user to sandbox" in the Plus UI
• FIXED SECURITY ISSUE: the HostInjectDll mechanism allowed for local privilege escalation (thanks hg421)
• Classic UI no longer allows to create a sandbox with an invalid or reserved device name

nathanmark6 wrote: ↑Tue Mar 30, 2021 2:44 am sandboxie is not even working for me now. Do you guys know any good alternatives?