Author Topic: Safezone and Sandbox vs DllInjection  (Read 15413 times)

0 Members and 1 Guest are viewing this topic.

Offline floste

  • Newbie
  • *
  • Posts: 11
Re: Safezone vs DllInjection
« Reply #15 on: July 29, 2011, 05:05:18 PM »
Quote
I believe browsers are set up to allow dll injection at some level by default (avast behaviour shield employs dll injection on browsers to monitor behaviour - and every time it does trusteer rapport blocks it on my system).

It is not a property of the browsers but the way windows works:
Any program can manipulate any other program running under the same user account at the same Integrity Level in any way it wishes.

The proper and relatively simple solution would be to run the SafeZone under a different user account.  :)

Quote
I can't see why the safezone browser should be set up this way though - it doesn't want to let anything else in.
Yes, but it is not so easy to block these functions. The best way is to make windows block it for you somehow! As I said, just running it under a different user account using a service as broker would at least increase the security.

Quote
Do any other AIS users find this thread a bit disconcerting
Well, thats most likely because you do not understand the technical details ^^

Quote
or is this in reality something that malware would struggle to replicate
DllInjection is very common and already in use for:
-Displaying framerates and other info inside games
-Cheats/mods
-Spell checking
-Bypassing firewalls
-Usermode rootkits
-Keyloggers

There are many variations of the technique
Most common for keyloggers is SetWindowsHookEx, this does not work against SafeZone.
Most common for specific targets (e.g cheats/mods) is CreateRemoteThread, this still works.
And some more complicated variations

So a huge percentage of programs using such techniques will not work. But they could be modified to work again^^


I would like to hear from/chat with a developer.
« Last Edit: July 29, 2011, 05:09:14 PM by floste »

Offline Rednose

  • Pirate Party Member
  • Avast √úberevangelist
  • Massive Poster
  • *****
  • Posts: 3706
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Safezone vs DllInjection
« Reply #16 on: July 29, 2011, 05:20:35 PM »
Read my previous post :)

Petr Kurtin is the developer of SafeZone, so also the person to discuss it with :)

Greetz, Red.
OS: Win 10 / iOS 14 / Debian 10 / Tails 4
Real Time: Avast Premium Security
VPN: NordVPN ( NordLynx ) with Cybersec

Offline mag

  • Advanced Poster
  • **
  • Posts: 740
Re: Safezone vs DllInjection
« Reply #17 on: July 29, 2011, 06:53:13 PM »

Quote
Do any other AIS users find this thread a bit disconcerting
Well, thats most likely because you do not understand the technical details ^^


Well, yes - but I was happier in my ignorance before you posted :(

Offline gdiloren

  • Advanced Poster
  • **
  • Posts: 1178
Re: Safezone vs DllInjection
« Reply #18 on: July 30, 2011, 05:07:54 PM »
I did not try the dll injection cause too complicated for me. I expect AILWIL to test it. What I found is that I have to thoroughly clear my browsing data before exiting safe zone. Does it solve the problem? Is there still piracy?
 :P
Avast protects well!!!

Offline floste

  • Newbie
  • *
  • Posts: 11
Re: Safezone vs DllInjection
« Reply #19 on: August 01, 2011, 10:50:46 PM »
Actually I thought: This will never ever work and did not even try until today.

But it seems like the so-called sandbox is all about drawing red frames but not preventing anything.

What i did: Start process hacker in sandbox and do dllinjection into random processes (truecrypt, firefox etc)
Result: First attempt worked, sandbox outbreak...

This is so hilarious!

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re: Safezone and Sandbox vs DllInjection
« Reply #20 on: August 02, 2011, 05:41:50 PM »
(edited, do some more tests)
« Last Edit: August 02, 2011, 05:52:47 PM by pk »

Offline mag

  • Advanced Poster
  • **
  • Posts: 740
Re: Safezone and Sandbox vs DllInjection
« Reply #21 on: August 05, 2011, 10:34:03 AM »
(edited, do some more tests)
Any more news?
Thanks

Offline mag

  • Advanced Poster
  • **
  • Posts: 740
Re: Safezone and Sandbox vs DllInjection
« Reply #22 on: August 09, 2011, 08:55:09 PM »
(edited, do some more tests)
Any conclusions yet?

Offline mag

  • Advanced Poster
  • **
  • Posts: 740
Re: Safezone and Sandbox vs DllInjection
« Reply #23 on: August 12, 2011, 07:12:57 PM »
Well, after 10 days of silence I'm guessing it has not proven easy for avast to dismiss the OPs claims.

Issues with the sandbox effectiveness wouldn't be much of a problem for me. The only thing I have set up to run in the sandbox is IE9 (which I don't use anyway).

Safezone weaknesses would be more of a concern.


Offline floste

  • Newbie
  • *
  • Posts: 11
Re: Safezone and Sandbox vs DllInjection
« Reply #24 on: August 13, 2011, 12:05:04 PM »
Quote
Well, after 10 days of silence I'm guessing it has not proven easy for avast to dismiss the OPs claims.
::) What did you expect?

At least somebody of their staff noticed. 2 weeks for a response and several months more for a fix are nothing unusual.  ;)

Quote
The only thing I have set up to run in the sandbox is IE9 (which I don't use anyway).
IE9 already has a "sandbox" when run under Vista or above. And both sandboxes amend each other very well!

Offline mag

  • Advanced Poster
  • **
  • Posts: 740
Re: Safezone and Sandbox vs DllInjection
« Reply #25 on: August 14, 2011, 12:12:38 PM »
I'm wondering if there might be a different way to get someting like safezone.

Run a tiny linux OS (loaded from CD) entirely in memory. No persistence for changes.

It's certainly quick!.


Offline mag

  • Advanced Poster
  • **
  • Posts: 740
Re: Safezone and Sandbox vs DllInjection
« Reply #26 on: September 15, 2011, 07:07:49 PM »
(edited, do some more tests)
Any update on this available now that a new version of avast is out?

Offline floste

  • Newbie
  • *
  • Posts: 11
Re: Safezone and Sandbox vs DllInjection
« Reply #27 on: September 15, 2011, 09:28:35 PM »
Obviously not...

Offline floste

  • Newbie
  • *
  • Posts: 11
Push
« Reply #28 on: January 17, 2012, 10:01:57 PM »
Push

(Nothing happened so far)

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re: Safezone and Sandbox vs DllInjection
« Reply #29 on: January 20, 2012, 01:26:22 AM »
This was already fixed in avast7 version, thanks for report.