SbieCtrl.exe : SbieDll.dll was not found.

[krudge137]

Describe what you noticed and did

https://github.com/sandboxie-plus/Sandboxie/discussions/2877

I have tried renaming the SbieDll.dll in my_version.h but it still give me the SbieDll.dll was not found error, did anyone figure out how to fix this?

How often did you encounter it so far?

Everytime

Affected program

SbieCtrl.exe

Download link

Not relevant

Where is the program located?

Not relevant to my request.

Expected behavior

For SbieCtrl.exe to be able to read the provided dll name through the code.

What is your Windows edition and version?

w10 21h1

In which Windows account you have this problem?

I use the built-in Administrator account.

Please mention any installed security software

None

What version of Sandboxie are you running?

1.9.2

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression?

No response

In which sandbox type you have this problem?

Not relevant to my request.

Can you reproduce this problem on a new empty sandbox?

Not relevant to my request.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

[DavidBerdik]

It's been quite a while since I worked on this. I don't even have the fork of Sandboxie that I made these changes to anymore since it's so old. That said, I do still have a patch file saved from when I experimented with this. I doubt that you will be able to directly apply the patch to the current head of the Sandboxie repo, but at the very least, it might help you track down all of the places where the SbieDll.dll file is referenced.

ba1905243ecaceed383562ac92f61bb6cac3a6ac.patch

Depending on what you're trying to achieve, renaming the file may not be necessary. Have you looked at using SbieHide? I have never used it myself, but from what I understand, it is sometimes enough to evade detection.

[isaak654]

@krudge137 Stop crossposting, please.

[krudge137]

It's been quite a while since I worked on this. I don't even have the fork of Sandboxie that I made these changes to anymore since it's so old. That said, I do still have a patch file saved from when I experimented with this. I doubt that you will be able to directly apply the patch to the current head of the Sandboxie repo, but at the very least, it might help you track down all of the places where the SbieDll.dll file is referenced.

ba1905243ecaceed383562ac92f61bb6cac3a6ac.patch

Depending on what you're trying to achieve, renaming the file may not be necessary. Have you looked at using SbieHide? I have never used it myself, but from what I understand, it is sometimes enough to evade detection.

Hey, I was able to rename SbieDll.dll from the info provided in your Patch file however I couldn't manage to get it load with my compiled sandboxie build.

I made an x64 installer following the Sandboxie Classic installer instructions.

I enabled test mode and rebooted my pc then I ran the installer and it was successfully installed.

But it didn't start the SbieSvc service , the service was created but it was stopped and when I tried to run it manually it didn't run nor show any sort of errors.

I've tried signing the files but I couldn't manage to do it either, does this still work by anychance?

How did you manage to make the SbieSvc start after the installation? (if you still remember)

Also I'm not trying to evade the SbieDll.dll detection , I just want to be able to change it's name and make the SbieSvc start as it should, I don't have a problem with it being detected.

Yes I've tried SbieHide and it's not what I'm looking for.

[DavidBerdik]

How did you manage to make the SbieSvc start after the installation? (if you still remember)

I recall having issues with the service starting as well. For me, the reason it was failing is because @DavidXanatos added a check internal to Sandboxie that verifies that the driver is signed before loading it, and if that check fails, then it won't load. I worked around this by changing this function to always return TRUE.

Also I'm not trying to evade the SbieDll.dll detection , I just want to be able to change it's name and make the SbieSvc start as it should, I don't have a problem with it being detected.

I suppose that it's not really any of my business, but I am not sure what the point is of trying to change the name unless you are specifically trying to evade detection.

[krudge137]

I recall having issues with the service starting as well. For me, the reason it was failing is because @DavidXanatos added a check internal to Sandboxie that verifies that the driver is signed before loading it, and if that check fails, then it won't load. I worked around this by changing this function to always return TRUE.

I've tried changing that function to always return True and the service now starts when I'm on test mode (thanks to you😊) , or when I have driver signature enforcement disabled, the only issue here is the tool I'm using detects test mode and it refuses to run when it's enabled but it runs fine when driver signature enforcement is disabled, is there a way to have it permanently disabled so I don't have to do it manually each time I bootup my pc?

I suppose that it's not really any of my business, but I am not sure what the point is of trying to change the name unless you are specifically trying to evade detection.

The tool I'm using checks the modules that are loaded into the a specific process and then sends the data back to the owner of the tool, that's why I want to change the name because evading the detection in my case is pretty much impossible thing to do (at least for me), and it's also why I couldn't use the SbieHide because the mechanism it's using is also detected by the tool that I'm trying to hide it from.

[DavidBerdik]

I've tried changing that function to always return True and the service now starts when I'm on test mode (thanks to you😊) , or when I have driver signature enforcement disabled, the only issue here is the tool I'm using detects test mode and it refuses to run when it's enabled but it runs fine when driver signature enforcement is disabled, is there a way to have it permanently disabled so I don't have to do it manually each time I bootup my pc?

Unfortunately, unless you have a means of getting a driver signed legitimately by Microsoft, getting a self-built version of the driver to work without test signing enabled requires you to self-sign it using a leaked certificate. Before you try experimenting with signing with a leaked certificate, there are some things about this method that you should know:

• Not all leaked certs are going to work on all versions of Windows. In the early days of Sandboxie Plus, @DavidXanatos signed his releases with the well-known "HT Srl" leaked certificate before eventually obtaining a legitimate certificate for it. For years after the leak took place, this cert could be used to sign and run drivers without test mode enabled, however, this is no longer the case. I believe it still works with old and outdated versions of Windows 10, but on newer versions of 10 as well as 11, it does not work.
• Just because you manage to find a certificate that works for your operating system for now does not mean that it will continue to work in the future. With every update that Microsoft releases, there's a chance that the certificate you're using will be blacklisted.
• Your antivirus software is likely to get very trigger-happy with trying to block your self-built driver from running. This is because malware developers often use leaked certificates and so, antivirus software starts freaking out when it sees something signed with a leaked cert.

The tool I'm using checks the modules that are loaded into the a specific process and then sends the data back to the owner of the tool, that's why I want to change the name because evading the detection in my case is pretty much impossible thing to do (at least for me), and it's also why I couldn't use the SbieHide because the mechanism it's using is also detected by the tool that I'm trying to hide it from.

Interesting. So, it sounds like you are trying to evade detection after all!

[DavidXanatos]

See: https://github.com/sandboxie-plus/Sandboxie/blob/0dedccfc37a4f2e23605000a0f0cdfc516e6df57/Sandboxie/core/drv/util.c#L353 it pretty definitely should return true when in test mode, no idea why it does not work for you, see also: https://github.com/sandboxie-plus/Sandboxie/blob/0dedccfc37a4f2e23605000a0f0cdfc516e6df57/Sandboxie/core/drv/util.c#L329 For me this works reliably, if you have a different experience, perhaps you could add some DbgPrint to the MyIsTestSigning function to find out why on your system it does not correctly indicate test mode being activated.

[github-actions[bot]]

As it has been 3 months since the last activity, we are automatically closing this issue in 14 days. If it is still present, please respond to help us investigate on newer Sandboxie versions. Thank you for your contribution!