Other than the HKLM registry access exception, this is not an academic exercise for me. Although this is asked in the context of a large business deployment of Sandboxie, it is applicable to all users of the software.
Consider the following scenario:
- A user uses Sandboxie to isolate Firefox and any child processes into a sandbox
- This sandbox is "light virtualization," implemented with a driver and dll injected into all sandboxed processes utilizing the Windows API to control and redirect operations into an isolated registry and disk area, rather than running another OS in a hypervisor
- Firefox and child programs believe they have full write access to the file system and registry. They also believe that the changes they make are to the real system. Firefox and sub programs have absolutely no idea of their virtualization.
- There are two exceptions that the user has specified
- Firefox can create and modify files in the user's real Downloads folder in the user's profile.
- Firefox can create and modify the host system's real HKLM RunOnce registry keys
- The user downloads virus.exe with Firefox to the Downloads folder.
- Using Firefox, the user launches virus.exe. Although it is stored in the real Download folder, it is sandboxed since it was launched by the user telling Firefox to launch it.
- WSA can see virus.exe running it and knows it is not trustworthy. WSA begins journaling virus.exe changes.
- virus.exe is given free reign to infect its isolated area. It modifies core system files and registry keys in the sandbox.
- virus.exe dump payload.exe into the user's real Downloads folder and creates an HKLM RunOnce key to launch payload.exe on next system boot. Because of the sandbox exceptions, it is able to do these two actions outside of the sandbox and on the host system.
- WSA detects virus.exe and kills the process
- The sandbox no longer has any running processes and is stopped and deleted. The only remaining traces are payload.exe and the HKLM registry key to run it on the next boot.
- WSA begins its cleanup process.
- Are there any theoretical ways that WSA would be confused and apply rollback changes to the real system, when the actual changes happened in the sandbox?
- Would it see the changes virus.exe made outside the sandbox?
So WSA would not be fooled or misled regardless of what a process thinks it's doing in it's own driver-supported fantasy land? Its monitoring for system-level actions occurs directly and is not informed/overriden by information sampled from a process itself?
I'm doing the best I can with the terminology - I'm unfortunately not a programmer nor have I gotten around to finishing the Sysinternals books.
First, I should mention that we are testing this internally now to confirm what I mentioned before with Sandboxie.
As long as execution is taking place on the system, we should see these events. The driver for the sandbox is redirecting changes made by the process into the virtualized space. In any case, the application being sandboxed is still executing and performing its actions which we should record.
I will update this thread once I've heard back from Threat Research.
I'm very interested in this issue.
explanoit, thank you for opening this valuable thread:D