diff --git a/Sandboxie/core/drv/process_force.c b/Sandboxie/core/drv/process_force.c index 936d53e0..15f7c9d4 100644 --- a/Sandboxie/core/drv/process_force.c +++ b/Sandboxie/core/drv/process_force.c @@ -161,6 +161,7 @@ _FX BOX *Process_GetForcedStartBox( ULONG alert; BOOLEAN check_force; BOOLEAN is_start_exe; + BOOLEAN image_sbie; BOOLEAN force_alert; BOOLEAN dfp_already_added; BOOLEAN same_image_name; @@ -248,7 +249,7 @@ _FX BOX *Process_GetForcedStartBox( // when the process is start.exe we ignore the CurDir and DocArg // - Process_IsSbieImage(ImagePath, NULL, &is_start_exe); + Process_IsSbieImage(ImagePath, &image_sbie, &is_start_exe); if ((! box) && CurDir && !is_start_exe) box = Process_CheckBoxPath(&boxes, CurDir); @@ -284,7 +285,15 @@ _FX BOX *Process_GetForcedStartBox( Process_DfpInsert(PROCESS_TERMINATED, ProcessId); } - if (!box) { + // + // Check if the parent process has its children forced to be sandboxes + // exempt sandboxie components from this as start.exe can be used to + // open selected processes in other boxes or set Dfp when desired. + // + // we also must Excempt conhost.exe for console applications + // + + if (!box && !image_sbie && _wcsicmp(ImageName, L"conhost.exe") != 0) { WCHAR boxname[BOXNAME_COUNT]; diff --git a/Sandboxie/core/svc/sbieiniserver.cpp b/Sandboxie/core/svc/sbieiniserver.cpp index bdaae16d..89ab9104 100644 --- a/Sandboxie/core/svc/sbieiniserver.cpp +++ b/Sandboxie/core/svc/sbieiniserver.cpp @@ -2409,6 +2409,18 @@ MSG_HEADER *SbieIniServer::RunSbieCtrl(MSG_HEADER *msg, HANDLE idProcess, bool i MSG_HEADER *SbieIniServer::RC4Crypt(MSG_HEADER *msg, HANDLE idProcess, bool isSandboxed) { + // + // The purpose of this function is to provide a simple machien bound obfuscation + // for example to store passwords which are required in plain text. + // To this end we use a Random 64 bit key which is generated once and stored in the registry + // as well as the rc4 algorythm for the encryption, applying the same transformation twice + // yealds the original plaintext, hence only one function is sufficient. + // + // Please note that neider the mechanism nor the use rc4 algorythm can be considdered + // cryptographically secure by any means. + // This mechanism is only good for simple obfuscation of non critical data. + // + SBIE_INI_RC4_CRYPT_REQ *req = (SBIE_INI_RC4_CRYPT_REQ *)msg; if (req->h.length < sizeof(SBIE_INI_RC4_CRYPT_REQ)) return SHORT_REPLY(STATUS_INVALID_PARAMETER);