Jump to content

Recommended Posts

Mister X over on wilders reported an odd issue to me that only seems to occur on Windows 8 when combined with Sandboxie and MBAE.

I was able to replicate this in a Windows 8.1 x64 VM
Installed Sandboxie version 4.14
Installed Malwarebytes Anti-Exploit 1.05.1.1016
Downloaded Media Player Classic 1.7.8 x64 (7z archive)
    http://sourceforge.net/projects/mpc-hc/files/MPC%20HomeCinema%20-%20x64/MPC-HC_v1.7.8_x64/MPC-HC.1.7.8.x64.7z/download
Extracted MPC x64 Archive

Added template rules to sandboxie and activated software compatibility for MBAE.

[Template_MBAE]Tmpl.Title=Malwarebytes Anti-ExploitTmpl.Class=SecurityTmpl.Scan=sTmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Malwarebytes Anti-ExploitTmpl.ScanKey=\REGISTRY\MACHINE\SOFTWARE\Malwarebytes Anti-ExploitOpenIpcPath=*\BaseNamedObjects*\NamedBuffer*Process*API*OpenIpcPath=*\BaseNamedObjects*\MBAE_IPC_PROTECTION*OpenIpcPath=*\BaseNamedObjects*\Mutex*Process*API*OpenIpcPath=*\RPC Control*\*MBAE_IPC_PROTECTION*OpenIpcPath=*\BaseNamedObjects*\AutoUnhookMap*OpenIpcPath=*\BaseNamedObjects*\mchMixCache*OpenIpcPath=*\BaseNamedObjects*\Ipc2Cnt*OpenIpcPath=*\BaseNamedObjects*\mchLLEW*

Added a shield for mpc-hc64.exe in MBAE
Used 'Run Sandboxed' from context menu.
Toggled shield in MBAE off/on to inject the dll.

A few seconds later it crashes mpc-hc64.exe with no errors displayed. Just *poof*!

I monitored the progress of the dll injection with the Resource Access Monitor in Sandboxie. There's nothing not getting through.
Steps taken to see this.

Disable MBAE
Run mpc-hc64.exe Sandboxed
Open Resource Access Monitor in SBIE after mpc-hc64.exe is fully loaded (skips irrelavent report data)
Enable MBAE (inject dll into shielded application)
 

    Clsid       -------------------------------    File/Key    -------------------------------    Image       -------------------------------    Image       c:\program files (x86)\malwarebytes anti-exploit\mbae64.dll    Image       c:\windows\system32\ntmarta.dll    Image       c:\windows\system32\psapi.dll    Image       c:\windows\system32\sspicli.dll    Ipc         -------------------------------    Ipc      O  \BaseNamedObjects\MBAE_IPC_PROTECTION_CHANNELAnswerBuf20$e30Event1    Ipc      O  \BaseNamedObjects\MBAE_IPC_PROTECTION_CHANNELAnswerBuf20$e30Event2    Ipc      O  \BaseNamedObjects\MBAE_IPC_PROTECTION_CHANNELAnswerBuf20$e30Map    Ipc      O  \BaseNamedObjects\MBAE_IPC_PROTECTION_CHANNELAnswerBuf21$e30Event1    Ipc      O  \BaseNamedObjects\MBAE_IPC_PROTECTION_CHANNELAnswerBuf21$e30Event2    Ipc      O  \BaseNamedObjects\MBAE_IPC_PROTECTION_CHANNELAnswerBuf21$e30Map    Ipc      O  \KnownDlls\kernel32.dll    Ipc      O  \KnownDlls\KERNELBASE.dll    Ipc      O  \KnownDlls\PSAPI.DLL    Ipc      O  \RPC Control\lsasspirpc    Ipc      O  \RPC Control\mchIpcMBAE_IPC_PROTECTION_CHANNEL    Ipc      O  \RPC Control\SbieSvcPort    Ipc      O  \Security\LSA_AUTHENTICATION_INITIALIZED    Ipc      O  \Sessions\1\BaseNamedObjects\AutoUnhookMap$00000e30$9f290000    Ipc      O  \Sessions\1\BaseNamedObjects\DBWinMutex    Ipc      O  \Sessions\1\BaseNamedObjects\Ipc2Cnt$e30    Ipc      O  \Sessions\1\BaseNamedObjects\mchLLEW2$e30    Ipc      O  \Sessions\1\BaseNamedObjects\mchMixCache$e30    Ipc      O  \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000e30, API $00000000a46b7e10    Ipc      O  \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000e30, API $00000000a46cef70    Ipc      O  \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000e30, API $00000000a46cf810    Ipc      O  \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000e30, API $00000000a4713680    Ipc      O  \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000e30, API $00000000a47137f0    Ipc      O  \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000e30, API $00000000a47d0000    Ipc      O  \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00000e30, API $00000000a46b7e10    Ipc      O  \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00000e30, API $00000000a46cef70    Ipc      O  \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00000e30, API $00000000a46cf810    Ipc      O  \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00000e30, API $00000000a4713680    Ipc      O  \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00000e30, API $00000000a47137f0    Ipc      O  \Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $00000e30, API $00000000a47d0000    Ipc      O  \Sessions\1\Windows\SharedSection    Pipe        -------------------------------    WinCls      -------------------------------

So far as I can tell this only happens on Windows 8. I tested it on Windows 7 originally and didn't have issues. Also protecting MPC x64 while it isn't being sandboxed doesn't seem to cause this crash even on Windows 8. Oddly enough 1/3 trial runs I made for these tests didn't crash a single time on Windows 8 until 'after a reboot'. I can't say with certainty it's a bug in MBAE but hopefully the logs in the zip will let you know if it is.

Crash.zip

Link to post
Share on other sites

Thanks for the information. Since Sandboxie is not officially supported by MBAE yet, I will move this to the Questions sub-forum instead of the Product Support forum.

 

We will also take a look at the crash information and try to repro internally.

Thanks, I wasn't sure how it would be handled under the circumstances. It IS a rather odd and 'situation specific' issue, no doubt, but I look forward to any updates you might have on the situation in the future!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.