static kernel API call filtering (seccomp and alternatives on other OSes)

matu3ba / sandboxamples

Structured collection of sandbox programs including tests (fs, net access, permissions, process groups [if available]) and system setup programs. No VM stuff.

BSD Zero Clause License

0 stars 0 forks source link

static kernel API call filtering (seccomp and alternatives on other OSes) #5

Closed matu3ba closed 6 months ago

matu3ba commented 8 months ago

unclear: can kernel32 or ntdll calls be patched, ie as admin or system user by providing empty stubs? idea would be to spawn suspended, patch out stubs with debug API and do the same subsequently for spawned child processes.

requires stubs patching being possisble
requires watching for subset of ntdll calls possible
requires debug API be able to follow child processes

matu3ba commented 6 months ago

keep it in README as idea, because huge pile of work.