search

sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.55k stars 1.51k forks source link

/force_children in ini file #4070

Closed 1mm0rt41PC closed 2 months ago

1mm0rt41PC commented 2 months ago

Is your feature request related to a problem or use case?

I have a use case where I want all processes launched by WINWORD.exe to be sent to the XXXX sandbox. But WINWORD.exe is not in the sandbox. I can do it with the command line: "C:\Program Files\Sandboxie-Plus\Start.exe" /box:HellGate /force_children "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"

but it's not very practical when I want to catch a double click on myfile.docx

Describe the solution you'd like

Add an argument into each box:

[myBox]
force_children=WINWORD.exe

or

[myBox]
force_children=C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

Describe alternatives you've considered

I have tested to add a debugger like to catch process creation but it crash WinWord:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE]
Debugger=C:\program Files\Sandboxie\start.exe /box:HellGate /force_children
love-code-yeyixiao commented 2 months ago

You can try to change the association of the file in question. For example "Start.exe /fcp /box:xxx winword.exe %1". The original version of this feature was based on the ini configuration, but it was later outlawed.

1mm0rt41PC commented 2 months ago

Yes changing the association works well but, the Goal is to catch any instance of Word/Excel/PowerPoint to avoid child process creation, to block the exploit https://github.com/itm4n/VBA-RunPE

1mm0rt41PC commented 2 months ago

Work well ! Nice Job !!! Y have created a sample ini file to avoid local privesc on a computer: https://github.com/1mm0rt41PC/SecureDomain/blob/master/Sandboxie-example.ini#L202C1-L202C14