Closed 1mm0rt41PC closed 2 months ago
You can try to change the association of the file in question. For example "Start.exe /fcp /box:xxx winword.exe %1". The original version of this feature was based on the ini configuration, but it was later outlawed.
Yes changing the association works well but, the Goal is to catch any instance of Word/Excel/PowerPoint to avoid child process creation, to block the exploit https://github.com/itm4n/VBA-RunPE
Work well ! Nice Job !!! Y have created a sample ini file to avoid local privesc on a computer: https://github.com/1mm0rt41PC/SecureDomain/blob/master/Sandboxie-example.ini#L202C1-L202C14
Is your feature request related to a problem or use case?
I have a use case where I want all processes launched by WINWORD.exe to be sent to the XXXX sandbox. But WINWORD.exe is not in the sandbox. I can do it with the command line:
"C:\Program Files\Sandboxie-Plus\Start.exe" /box:HellGate /force_children "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
but it's not very practical when I want to catch a double click on
myfile.docx
Describe the solution you'd like
Add an argument into each box:
or
Describe alternatives you've considered
I have tested to add a debugger like to catch process creation but it crash WinWord: