Could SBIE leverage Windows memory protection by launching as Protected Process Light (PPL)? #4476
Unanswered
e-t-l
asked this question in
Various ideas and suggestions
Replies: 5 comments 1 reply
-
|
We maybe have a better suggestion now.
The manager has another project named MajorPrivacy,he and I are planning to add cross features between them.
If your advice is the lucky dog,then we may add the protection feature for Sandboxie ,which based on MajorPrivacy.
YeYixiao
***@***.***
…---Original---
From: ***@***.***>
Date: Wed, Jan 22, 2025 15:52 PM
To: ***@***.***>;
Cc: ***@***.***>;
Subject: [sandboxie-plus/Sandboxie] Could SBIE leverage Windows memoryprotection by launching as Protected Process Light (PPL)? (Discussion #4476)
Windows memory protection (https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection) is used at its highest levels to protect core OS programs (the "Protected Processes"), permitting only programs/DLLs with the appropriate Windows signature to access their memory space or control them.
At a slightly lower protection level, the "Protected Process Light" or "PPL," 3rd-party signed programs/DLLs can benefit from similar protections. This is most frequently used by Antivirus programs to prevent tampering (this is why, for example, you might not be able to disable the service for your antivirus even if you run SC CONFIG with Admin or even System user privileges. PPLs are protected even from processes running as System.)
This seems like it would be a great security enhancement for Sandboxie. Hypothetically, it is pretty straightforward to make a service a PPL; it involves creating a LaunchProtected=3 registry value under that service's reg key. In execution, I'm not knowledgeable enough to understand from the documentation whether other changes would need to be made to the program first: https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_launch_protected_info
Bonus writeup on PPLs from someone who seems to know what they're talking about: http://www.alex-ionescu.com/?p=146
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
As a reault that I have not logined my Github account,I have to right my answer by email:
Suggestion->solution
manager->maintainer
…---Original---
From: ***@***.***>
Date: Wed, Jan 22, 2025 15:52 PM
To: ***@***.***>;
Cc: ***@***.***>;
Subject: [sandboxie-plus/Sandboxie] Could SBIE leverage Windows memoryprotection by launching as Protected Process Light (PPL)? (Discussion #4476)
Windows memory protection (https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection) is used at its highest levels to protect core OS programs (the "Protected Processes"), permitting only programs/DLLs with the appropriate Windows signature to access their memory space or control them.
At a slightly lower protection level, the "Protected Process Light" or "PPL," 3rd-party signed programs/DLLs can benefit from similar protections. This is most frequently used by Antivirus programs to prevent tampering (this is why, for example, you might not be able to disable the service for your antivirus even if you run SC CONFIG with Admin or even System user privileges. PPLs are protected even from processes running as System.)
This seems like it would be a great security enhancement for Sandboxie. Hypothetically, it is pretty straightforward to make a service a PPL; it involves creating a LaunchProtected=3 registry value under that service's reg key. In execution, I'm not knowledgeable enough to understand from the documentation whether other changes would need to be made to the program first: https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_launch_protected_info
Bonus writeup on PPLs from someone who seems to know what they're talking about: http://www.alex-ionescu.com/?p=146
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
-
|
If you had see the document carefully,You must pay attention to this https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-#requirements
If we directly use your method,then we have to tell microsoft that we are a anti virus software.And we have to add huge of ELAM code in our driver.This is not reailable.Because sandbox is obviously not a AntiVirus software at all.
YeYixiao
***@***.***
…---Original---
From: ***@***.***>
Date: Wed, Jan 22, 2025 15:52 PM
To: ***@***.***>;
Cc: ***@***.***>;
Subject: [sandboxie-plus/Sandboxie] Could SBIE leverage Windows memoryprotection by launching as Protected Process Light (PPL)? (Discussion #4476)
Windows memory protection (https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection) is used at its highest levels to protect core OS programs (the "Protected Processes"), permitting only programs/DLLs with the appropriate Windows signature to access their memory space or control them.
At a slightly lower protection level, the "Protected Process Light" or "PPL," 3rd-party signed programs/DLLs can benefit from similar protections. This is most frequently used by Antivirus programs to prevent tampering (this is why, for example, you might not be able to disable the service for your antivirus even if you run SC CONFIG with Admin or even System user privileges. PPLs are protected even from processes running as System.)
This seems like it would be a great security enhancement for Sandboxie. Hypothetically, it is pretty straightforward to make a service a PPL; it involves creating a LaunchProtected=3 registry value under that service's reg key. In execution, I'm not knowledgeable enough to understand from the documentation whether other changes would need to be made to the program first: https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_launch_protected_info
Bonus writeup on PPLs from someone who seems to know what they're talking about: http://www.alex-ionescu.com/?p=146
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
1 reply
-
Ok, if you say so... The documentation doesnt say any of that, but if you have some outside knowledge that allows you to make inferences from the documentation then I guess what you're saying could make sense. I proposed this idea because what's the documentation says is:
which just sounds like it needs to be signed with a valid software cert (as I'm pretty sure SBIE already is), and
Maybe this does entail "a huge of ELAM code" but that isn't obvious; it just states the driver needs to have the hashes of the usermode exes that are allowed to interact with it. If you have more knowledge about this topic than me I invite you to share it. However, condescendly relinking the same info I already linked and acting like it *oh so obviously* supports your claims is not very productive. |
Beta Was this translation helpful? Give feedback.
-
|
https://learn.microsoft.com/en-us/windows/win32/w8cookbook/secured-boot#tests
"ELAM drivers must be specially signed by Microsoft to ensure they are started by the Windows kernel early in the boot process."
See specially.
https://learn.microsoft.com/en-us/windows-hardware/drivers/install/elam-prerequisites#antimalware-vendor-participation-requirements
"Microsoft requires that Early Launch Antimalware vendors be members of the Microsoft Virus Initiative (MVI)."
At least from the two texts,we can infer two facts.the first one is we have to add another driver to implentment what you said.The second one is we,open-source individual developers,have to register as an anti-virus software provider organization.
If you feel confused about why I am stick to ELAM,see what you had link:"https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_launch_protected_info#remarks"
"SERVICE_LAUNCH_PROTECTED_ANTIMALWARE_LIGHT protection type can be used by the anti-malware vendors to launch their anti-malware service as protected. See Protecting Anti-Malware Services for more info."
…---Original---
From: ***@***.***>
Date: Sat, Jan 25, 2025 01:35 AM
To: ***@***.***>;
Cc: ***@***.******@***.***>;
Subject: Re: [sandboxie-plus/Sandboxie] Could SBIE leverage Windows memoryprotection by launching as Protected Process Light (PPL)? (Discussion #4476)
we have to tell microsoft that we are a anti virus software.And we have to add huge of ELAM code in our driver.
Ok, if you say so... The documentation doesnt say any of that, but if you have some outside knowledge that allows you to make inferences from the documentation then I guess what you're saying could make sense.
I proposed this idea because what's the documentation says is:
the certification chain either has to be a known root
which just sounds like it needs to be signed with a valid software cert (as I'm pretty sure SBIE already is), and
the driver must have an embedded resource section containing the information of the certificates used to sign the user mode service binaries […] The user-mode service that needs to be launched as protected must be signed with valid certificates […] The hash of these certificates must be added into the resource file
Maybe this does entail "a huge of ELAM code" but that isn't obvious; it just states the driver needs to have the hashes of the usermode exes that are allowed to interact with it.
If you have more knowledge about this topic than me I skin vote you to share it, but condescendly relinking the same info I already linked and claiming it *obviously* supports your assertions is not very productive.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
0 replies
-
What attack vectors will this even protect from? Malware running with admin permissions outside the sandbox? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Windows memory protection (https://learn.microsoft.com/en-us/windows/win32/memory/memory-protection) is used at its highest levels to protect core OS programs (the "Protected Processes"), permitting only programs/DLLs with the appropriate Windows signature to access their memory space or control them.
At a slightly lower protection level, the "Protected Process Light" or "PPL," 3rd-party signed programs/DLLs can benefit from similar protections. This is most frequently used by Antivirus programs to prevent tampering (this is why, for example, you might not be able to disable the service for your antivirus even if you run
SC CONFIGwith Admin or even System user privileges. PPLs are protected even from processes running as System.)This seems like it would be a great security enhancement for Sandboxie. Hypothetically, it is pretty straightforward to make a service a PPL; it involves creating a
LaunchProtected=3registry value under that service's reg key. In execution, I'm not knowledgeable enough to understand from the documentation whether other changes would need to be made to the program first: https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_launch_protected_infoBonus writeup on PPLs from someone who seems to know what they're talking about: http://www.alex-ionescu.com/?p=146
Beta Was this translation helpful? Give feedback.
All reactions