 |
|
nick s
| Joined: 20 Dec 2008 |
| Posts: 329 |
|
|
|
 Posted: Mon Oct 26, 2009 4:03 pm |
|
 |
 |
|
|
| tzuk wrote: |
| If it's a 19144 bytes long file with CRC = 9dc00fdc then I have it. |
That matches my copy. |
|
_________________
Nick
|
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15003 |
|
|
|
| Posted: Mon Oct 26, 2009 10:29 pm |
|
|
|
|
|
Thanks for the confirmation. I'll check it soon.
|
|
_________________
tzuk
|
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15003 |
|
|
|
| Posted: Tue Oct 27, 2009 1:53 pm |
|
|
|
|
|
I looked into it. What normally happens with HIPS-type drivers is that they inject into the kernel somewhat similar to this:
Application --> Open Process API --> ...
... --> HIPS Driver --> Operating System --> Nt Open Process --> ...
... --> Sandboxie
But XueTr injects like this:
Application --> Open Process API --> ...
... --> Operating System --> Nt Open Process --> XeuTr --> ...
... --> Sandboxie
This difference is confusing to Sandboxie, because it looks like some driver (XueTr in this case) is issuing the Open Process request. Sandboxie always permits a request that it thinks came from a driver.
I'm not sure that I can resolve this conflict without explicitly identifying the XueTr driver by name, which is an option, but not the best one.
|
|
|
 |
 | |  |
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15003 |
|
|
|
| Posted: Wed Oct 28, 2009 10:51 pm |
|
|
|
|
|
Update. I redesigned the way Sandboxie figures out if the call came from the application or a driver that happens to be operating in the context of that application. It resolves this particular conflict with XueTr. The new way should actually be more robust than the old way. I will release beta version 3.41.02 in a day or two, and you guys would be able to confirm it at that time.
|
|
|
|
nick s
| Joined: 20 Dec 2008 |
| Posts: 329 |
|
|
|
| Posted: Thu Oct 29, 2009 2:12 am |
|
|
|
|
|
| tzuk wrote: |
| Update. I redesigned the way Sandboxie figures out if the call came from the application or a driver that happens to be operating in the context of that application. It resolves this particular conflict with XueTr. The new way should actually be more robust than the old way. I will release beta version 3.41.02 in a day or two, and you guys would be able to confirm it at that time. |
Excellent. Thanks for the update. |
|
|
|
| | |
|
raid
| Joined: 23 Aug 2008 |
| Posts: 58 |
| Location: TN, USA |
|
|
| Posted: Thu Oct 29, 2009 5:48 am |
|
|
|
|
|
| tzuk wrote: |
| Update. I redesigned the way Sandboxie figures out if the call came from the application or a driver that happens to be operating in the context of that application. It resolves this particular conflict with XueTr. The new way should actually be more robust than the old way. I will release beta version 3.41.02 in a day or two, and you guys would be able to confirm it at that time. |
Sweet.
Also, is it possible for sandboxie to support "simulated" injection of one of it's files? I have a few malware samples that like to take over processes and then drop the files, and sandboxie isn't okay with this because it wants to hijack a kernel sandboxie driver; Only, I don't want it to be able to do it for real.  |
|
_________________
Everything is so different, yet I am the same...
|
|
| | |
|
Guest
|
|
| Posted: Thu Oct 29, 2009 1:31 pm |
|
|
|
|
|
Is this only releated to this POC used in the prescence of XueTr ? or could it be exploited by some rare types of malware w/o the aforementioned program being on the system?
|
|
|
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15003 |
|
|
|
| Posted: Thu Oct 29, 2009 5:19 pm |
|
|
|
|
|
| Anonymous wrote: |
| Is this only releated to this POC used in the prescence of XueTr ? or could it be exploited by some rare types of malware w/o the aforementioned program being on the system? |
This problem can only occur when XueTr is running outside the sandbox.
| raid wrote: |
| Also, is it possible for sandboxie to support "simulated" injection of one of it's files? |
That depends on the injection I suppose. For example, if the malware tries to inject Explorer.exe you might simulate it by running Explorer.exe in the sandbox. |
|
|
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15003 |
|
|
|
| Posted: Fri Oct 30, 2009 2:05 pm |
|
|
|
|
|
Should be fixed in version 3.41.02.
|
|
|
|
nick s
| Joined: 20 Dec 2008 |
| Posts: 329 |
|
|
|
| Posted: Sat Oct 31, 2009 3:24 am |
|
|
|
|
|
| tzuk wrote: |
| Should be fixed in version 3.41.02. |
Confirmed. Thanks for the fix. |
|
|
|
nick s
| Joined: 20 Dec 2008 |
| Posts: 329 |
|
|
|
| Posted: Sat Oct 31, 2009 4:12 am |
|
|
|
|
|
...and thanks as well to a256886572008 for reporting the issue.
|
|
|
|
You cannot post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 3
 Use the RSS feed to watch this topic for replies
|
|
|
|
| |
