NtQueryDirectoryObject (you should not return "STATUS_MORE_ENTRIES") as this is a EASY Sandbox Detection

0bbedCode commented 3 weeks ago

Describe what you noticed and did

your Hook for "NtQueryDirectoryObject" located in Sandboxie DLL located in "/ipc/ipc.c"

Function "Ipc_NtQueryDirectoryObject"

you return "STATUS_MORE_ENTRIES" when there is more entries else "STATUS_SUCCESS" when coming from a un suspected process (not debate if this function is used) this should instead return "STATUS_BUFFER_TOO_SMALL" when being probed for size.

In theory if I were to use that NT API (Sandbox / Virtual Environment Detectors use)

it will either return "STATUS_SUCCESS" or "STATUS_MORE_ENTRIES" when if your probing the NTAPI to get the Buffer size this will break any program doing so.

Example this code will break

            rlen = 0;
            status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen);
            if (status != STATUS_BUFFER_TOO_SMALL) {
                printf("[supEnumSystemObjects][NtQueryDirectoryObject] Return is not [STATUS_BUFFER_TOO_SMALL] %d\n", status);
                break;
            }

Technically its best to Probe it for size instead of assuming but your Program Returns a Invalid size / invalid Result before I started iteration (probing it for size) I get a result "STATUS_MORE_ENTRIES" but how..... I didn't start iterating through it yet ..... I passed NULL and 0 yet I have more entries ?? how thats impossible

This will cause alot of False Flags for VM Detections and Positive Flags for Sandbox Detections Im writing new SbieHide.dll but I cant do anything about anything until you fix your Hook to clean up your return.

Im not sure 100% why you are looping through the Objects thats fine but if its possible clean up so when a Real Process with a Purpose calls to it can use it as if it was never used before. If its to Hide Sandboxie Detection well it does not work at all it still has detections and again for the "SbieHide.dll" Im extending fails since your address gets invoked for the Save Hooks

I made a Custom SbieDLL.dll instead of returning "STATUS_MORE_ENTRIES" I returned "STATUS_BUFFER_TOO_SMALL" (like it should be returning) and it Fixed the VM Detection issues but obviously still had detections for Sandbox Sandboxie Didn't crash so I presume I can continue spoofing (maybe) but again I am not sure why you iterate through it so instead im requesting if you can do some "clean up" job to make it seem as if you didn't iterate through the data (as you can detect sandbox easily then)

How often did you encounter it so far?

No response

Expected behavior

Trace log

Not relevant

Sandboxie.ini configuration

No response

0bbedCode commented 3 weeks ago

Ps alot of the fields are not relevant I physically see the code YOU made so it wont make a difference for if admin or windows 7 or what not, so long as your hook exists for "NtQueryDirectoryObject" and you always return either "STATUS_MORE_ENTRIES" or "STATUS_SUCCESS" you will always have a EASY detection vector that not even people like me working on Hiding these things can work around as even the original call in Hooking lib MinHook calls to your Hook still.

This can also cause issues in regular programs expecting "STATUS_BUFFER_TOO_SMALL" as they are probing it for size (even I do that alot with win apis probe it for size)

as I said you know your program best so if you can make a "work" around if possible that be great , I feel simply returning "STATUS_BUFFER_TOO_SMALL" may not be enough as you are actively doing something with that data / buffers

Currently gets detected in (3) possibly more VM/Sandbox Detection Tools

DavidXanatos commented 3 weeks ago

The behavior will be fixed as follows: https://github.com/sandboxie-plus/Sandboxie/commit/e0e4b8882ef4f55a31c4ab6e6fd0c15d0799a1da we need to iterate through all entries to construct a merged list. But now the size probing should work correctly

sandboxie-plus / Sandboxie