Add sbiedll detection bypass

[Aholicknight]

Is your feature request related to a problem or use case?

Some programs that I want to run in a sandbox can detect that the program is being ran in a sandbox via module names. As seen in the screenshot, the detection method used is the DLL name. Most of these programs that have this are also protected with VMProtect or a different protector and cannot be modified.

Describe the solution you'd like

An option to rename the sbiedll to something else to improve less sandbox detections.

Describe alternatives you've considered

• Renaming sbiedll manually makes sandboxie no longer work because the program cannot find sbiedll.

[bastik-1001]

This is possibly a duplicate of #234 and #2178.

If a custom dll name it all it takes to evade detection, then it might be worth it. Once they apply more sophisticated approaches, it may fail, and I see why David does not want to get into an arms race, playing cat and mice.

[ghost]

Besides blocking access to the file you may fake it's path

[Aholicknight]

Besides blocking access to the file you may fake it's path

@mysteriously how would I block access to the file or the path? does this require sandboxie premium?

[paradoxicallist]

Besides blocking access to the file you may fake it's path

Could you show us an example please?

[ghost]

You can block using ini or create symlink to fake path

You didnt mention the name of the software

[Aholicknight]

You can block using ini or create symlink to fake path

You didnt mention the name of the software

Ill try this

[i486]

@DavidXanatos

Are there any documents on how to build it?

[Aholicknight]

@DavidXanatos do you know how i can symlink sbiedll? thank you

[Aholicknight]

@mysteriously can you please show what the ini file should look like when blocking sbiedll? thank you

[ghost]

Ok, let's summarize that.

You are trying to run some shady software which detects SBIE for a reason. You don't even bother to post the name of the software thought. So, you know it is doing its job but at the same time you literally went to official support forum to ask for help anyway. Even if you find a solution and shady software developer will detect you are somehow bypassing the protection mechanism, this forum will be first place for the shady software developer to look for an answer why his protection does not work anymore.

What's more, you expect to post the solution on public instead of keeping it for yourself once you find it.

Seriously dude?

[VeroFess]

try this https://github.com/VeroFess/SbieHide

[DavidXanatos]

@VeroFess oh this is very nice, so this issue can be closed, great :D I have added a new readme section listing SbieHide: https://github.com/sandboxie-plus/Sandboxie/blob/master/README.md#-usefull-tools-for-sandboxie I hope that's all right?

[krudge137]

This is possibly a duplicate of #234 and #2178.

If a custom dll name it all it takes to evade detection, then it might be worth it. Once they apply more sophisticated approaches, it may fail, and I see why David does not want to get into an arms race, playing cat and mice.

can you help me with that please? all I need is to rename the dll I'm fine with it being detected as long as it doesn't have Sbiedll.dll. I have tried renaming the dll through my_version.h I don't know if I did something wrong but it didn't work as intended.

[isaak654]

all I need is to rename the dll

👉 https://github.com/sandboxie-plus/Sandboxie/issues/2880#issuecomment-1532087581