Implementing a Sandbox in Windows

All off-topic discussion goes here.
Post Reply
Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Implementing a Sandbox in Windows

Post by Victor43 » Mon Sep 04, 2017 2:28 am

I have found out sandboxing involves hooking or can at the very least in order to intercept the call but how it is possible to implement whether or not to permit or deny the call ? Any thoughts or ideas anyone ? I've included a link to another forum where the discussion of hooking is at the forefront.

https://security.stackexchange.com/ques ... or-windows

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Implementing a Sandbox in Windows

Post by Vrtule » Mon Sep 04, 2017 12:56 pm

The sanbox may take advantage of interfaces that allow you to make block/permit decisions on the fly. Such interfaces exist for filtering registry, file system, network and process/thread accesses.

However, there are also mechanisms that permits you to only block the access (Windows security model in general (DACLs, integrity levels, UIPI, ...), job objects...). Probably the best approach is to run the sandboxed code with the least privileges possible (or no privileges at all) and hook functions for which more privileges are required. When the coce uses the hooked routines, you may filter the calls yourself and allow it to perform certain actions (that cannot be performed with zero privileges). When it decides not to use the hooked routines, it actually attempts to bypass them, it cannot do anything interesting since it has no privileges.

N3mes1s
Posts: 42
Joined: Wed Mar 09, 2011 5:17 pm

Re: Implementing a Sandbox in Windows

Post by N3mes1s » Tue Sep 05, 2017 5:40 am

It's not exactly what you're looking for, but it could be a good start:

https://blog.trailofbits.com/2017/08/02 ... -so-i-did/

Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Re: Implementing a Sandbox in Windows

Post by Victor43 » Fri Sep 15, 2017 4:09 am

Thanks to both replies.

Post Reply