A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #30814  by Victor43
 Mon Sep 04, 2017 2:28 am
I have found out sandboxing involves hooking or can at the very least in order to intercept the call but how it is possible to implement whether or not to permit or deny the call ? Any thoughts or ideas anyone ? I've included a link to another forum where the discussion of hooking is at the forefront.

https://security.stackexchange.com/ques ... or-windows
 #30817  by Vrtule
 Mon Sep 04, 2017 12:56 pm
The sanbox may take advantage of interfaces that allow you to make block/permit decisions on the fly. Such interfaces exist for filtering registry, file system, network and process/thread accesses.

However, there are also mechanisms that permits you to only block the access (Windows security model in general (DACLs, integrity levels, UIPI, ...), job objects...). Probably the best approach is to run the sandboxed code with the least privileges possible (or no privileges at all) and hook functions for which more privileges are required. When the coce uses the hooked routines, you may filter the calls yourself and allow it to perform certain actions (that cannot be performed with zero privileges). When it decides not to use the hooked routines, it actually attempts to bypass them, it cannot do anything interesting since it has no privileges.