1.8.1

CHANGELOG.md

@@ -8,12 +8,16 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [1.8.1 / 5.63.1] - 2023-03-12
 
+### Added
+- added certificate protection [#2722](https://github.com/sandboxie-plus/Sandboxie/issues/2722)
+
 ### Fixed
 - fixed issue with finder search in tracelog
 - fixed issue with NT namespace virtualization [#2701](https://github.com/sandboxie-plus/Sandboxie/issues/2701)
 - fixed issue with run unsandboxed [#2710](https://github.com/sandboxie-plus/Sandboxie/issues/2710)
 
 
+
 ## [1.8.0 / 5.63.0] - 2023-02-27
 
 ### Added

Sandboxie/core/drv/file.c

@@ -1365,6 +1365,10 @@ _FX NTSTATUS File_Generic_MyParseProc(
                 && 0 == Box_NlsStrCmp(
                     path, Driver_HomePathNt, Driver_HomePathNt_Len)) {
 
+            if(_wcsicmp(&path[Driver_HomePathNt_Len], L"\\Certificate.dat") == 0)
+                status = STATUS_ACCESS_DENIED;
+            else
+
             if (write_access)
                 status = STATUS_ACCESS_DENIED;
             else
@@ -1872,8 +1876,9 @@ _FX void File_ReplaceTokenIfFontRequest(
     // Using impersonation token in ClientToken if it is available
     // Replacing the primary token caused BSOD with Digital Guardian when dereferencing the token
     //
-
-    ObReferenceObject(proc->primary_token);
+    
+    // $Workaround$ - 3rd party fix
+    ObReferenceObject(proc->primary_token); // HACK ALERT! this causes a resource leak!!!
 
     if (!AccessState->SubjectSecurityContext.ClientToken)
     {