Introduction
What is Sandboxie? When a full VM is overkill, you can use a
sandbox to isolate the I/O for the application. Sandboxie hooks and re-routes
file system calls. Some benefits include:
- Secure Web Browsing: Running your Web browser under the protection of Sandboxie means that all malicious software downloaded by the browser is trapped in the sandbox and can be discarded trivially.
- Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows.
- Secure E-mail: Viruses and other malicious software that might be hiding in your email can't break out of the sandbox and can't infect your real system.
- Windows Stays Lean: Prevent wear-and-tear in Windows by installing software into an isolated sandbox.
The following classes of system objects are supervised by Sandboxie: Files, Disk Devices, Registry Keys, Process and Thread objects, Driver objects, and objects used for Inter-process communication: Named Pipes and Mailbox Objects, Events, Mutexs (Mutants in NT speak), Semaphores, Sections and LPC Ports.
Sandboxie also prevents programs executing inside the sandbox from loading drivers directly. It also prevents programs from asking a central system component, known as the Service Control Manager, to load drivers on their behalf. In this way, drivers, and more importantly, rootkits, cannot be installed by a sandboxed program.
It should be noted, however, that Sandboxie does not typically stop sandboxed programs from reading your sensitive data. However, by careful configuration of the ClosedFilePath and ClosedKeyPath settings in Sandboxie, you can achieve this goal as well.
Using the code
Written in C++, the API functions support the enumeration of sandboxes and processes, and the ability to kill processes. I wrapped the API with C# and restructured it into Sandbox, SandboxProcess, and SandboxManager objects.
SandboxManager
You can have several sandboxes with different configurations, and the sandbox manager exists to support enumeration, creation, and events. Enumeration and events depend on polling to be accurate, so both depend on just how recent the refresh methods (RefreshAll or RefreshSandboxList) have been called. Following a refresh, events will fire to notify that sandboxes have been found or removed or that processes have been found or removed.
Sandbox
Each sandbox has its own paths and files, which are shown as properties. I added a start method to encapsulate the command line parameters available. I also added a mechanism to copy and delete sandboxes. Copy simply makes a copy of the sandbox directory, adds an entry in the configuration file, and calls the native reload function. Delete removes the directory and the configuration entry. These depend on “ShellBasics.dll” found in CodeProject (included). Because these are my creation, they may not always be supported. Caveat programmer.
SandboxProcess
While SandboxProcesses are very similar to a .NET Process object, it contains links to the parent sandbox and the underlying Process object. I also included the Process Exited event.
Sample Code
This sample creates a new sandbox based on the default one provided, starts and kills IE, then deletes the sandbox.
_defaultbox = new Sandbox("DefaultBox", new SandboxManager());
_user1box = _defaultbox.CopySandbox(“User1”);
SandboxProcess proc = _user1box.Start("iexplorer.exe");
proc.Terminate();
_user1box.DeleteSandbox();
History
2010-10-27: First version
Note
I had no hand in writing Sandboxie itself, so please direct inquiries about it to the Sandboxie Forums.
