Merge pull request #3949 from love-code-yeyixiao/master

HideProcessAndCopyOnReadAndBlockAccessWMITemplateAndExtendTempTemplateAndUiForLimitAndNewBoxTypeAndBlockLocalConnectTemplate

CHANGELOG.md

@@ -2,6 +2,19 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.14.2 / 5.69.2] - 2024-??-??
+
+### Added
+- Add option "HideNonSystemProcesses" to hide processes not in a sandbox from processes lists for sandboxed processes.
+- Add option "HideSbieProcesses" to hide Sandboxie Work Process(SbieSvc,SandboxieRpcSs,etc.).
+- When "HideFirmwareInfo" is set,the programs which try getting fireware info will get false data from HKEY_CURRENT_USER\\SOFTWARE\\SandboxieHide\\FalseFirmwareValue
+- Add template "BlockAccessWMI" to prevent sandboxed processes from accessing system information through WMI.
+- Add template "BlockLocalConnect" to prevent sandboxed processes from sending network packs to loaclhost to breakout sandbox.
+- Add new box type "Maximize Isolation Sandbox".
+- Add new option "AllowCoverTaskbar" for #3975.
+
+### Changed
+- Extend "Temp Template" to make it could delete local template section.
 
 
 
@@ -36,6 +49,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
   - when it is set, a prompt pops up before launching a new program into the sandbox using "Start.exe" and checks if the program that started "Start.exe" is a Sandboxie component itself, if it is not, a warning pops up
 - added option for EditAdminOnly in SetupWizard
 
+
 ### Changed
 - splited the advanced new box wizard page in two
 - reorganized box options a bit

Sandboxie/core/dll/file.c

@@ -3516,7 +3516,11 @@ ReparseLoop:
         // open, for a CopyPath that does not exist, must also include
         // write access, or else it would have been handled earlier already)
         //
-
+		
+		if(SbieApi_QueryConfBool(NULL,L"CopyFileOnOpen",FALSE))
+			status = File_MigrateFile(
+				TruePath, CopyPath, IsWritePath, TRUE);
+		
         if (FileType & TYPE_REPARSE_POINT) {
 
             status = File_MigrateJunction(

Sandboxie/core/dll/gui.c

@@ -1356,6 +1356,35 @@ _FX HWND Gui_CreateWindowExW(
     // replace parent
     //
 
+	if (Gui_BlockInterferenceControl && !SbieApi_QueryConfBool(NULL, L"AllowCoverTaskbar", FALSE)) {
+
+		typedef BOOL(*P_SystemParametersInfoA)(UINT uiAction, UINT uiParam, PVOID pvParam, UINT fWinIni);
+		static P_SystemParametersInfoA SystemParametersInfoA = NULL;
+		if (!SystemParametersInfoA) SystemParametersInfoA = Ldr_GetProcAddrNew(L"user32.dll", L"SystemParametersInfoA", "SystemParametersInfoA");
+
+		typedef int (*P_GetSystemMetrics)(int nIndex);
+		static P_GetSystemMetrics GetSystemMetrics = NULL;
+		if (!GetSystemMetrics) GetSystemMetrics = Ldr_GetProcAddrNew(L"user32.dll", L"GetSystemMetrics", "GetSystemMetrics");
+
+		if (SystemParametersInfoA && GetSystemMetrics) {
+
+			RECT rt;
+			SystemParametersInfoA(SPI_GETWORKAREA, 0, &rt, 0);
+			int y1 = GetSystemMetrics(SM_CYSCREEN) - rt.bottom;
+			int x1 = GetSystemMetrics(SM_CXSCREEN) - rt.right;
+			int y2 = GetSystemMetrics(SM_CYSCREEN) - rt.top;
+			int x2 = GetSystemMetrics(SM_CXSCREEN) - rt.left;
+			if (y + nHeight > y1)
+				nHeight = y1 - y - 2;
+			if (y < y2)
+				y = y2 + 2;
+			if (x + nWidth > x1)
+				nWidth = x1 - x;
+			if (x < x2)
+				x = x2 + 2;
+		}
+	}
+
     if ((! Gui_DisableTitle) &&
             lpWindowName && (dwStyle & WS_CAPTION) == WS_CAPTION &&
             ((! hWndParent) || (dwStyle & WS_CHILD) == 0))
@@ -1946,7 +1975,7 @@ _FX BOOL Gui_MoveWindow(
         return FALSE;
     }
 	
-    if (Gui_BlockInterferenceControl) {
+    if (Gui_BlockInterferenceControl && !SbieApi_QueryConfBool(NULL, L"AllowCoverTaskbar", FALSE)) {
 
         typedef BOOL (*P_SystemParametersInfoA)(UINT uiAction, UINT uiParam, PVOID pvParam, UINT fWinIni);
         static P_SystemParametersInfoA SystemParametersInfoA = NULL;
@@ -1998,7 +2027,7 @@ _FX BOOL Gui_SetWindowPos(
     // use SbieSvc GUI Proxy if hWnd is accessible but outside the sandbox
     //
 	
-    if (Gui_BlockInterferenceControl) {
+    if (Gui_BlockInterferenceControl&&!SbieApi_QueryConfBool(NULL,L"AllowCoverTaskbar",FALSE)) {
 
         if (hWndInsertAfter == HWND_TOPMOST || hWndInsertAfter == HWND_TOP)
             hWndInsertAfter = HWND_DESKTOP;

Sandboxie/core/dll/sysinfo.c

@@ -207,6 +207,39 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
         SysInfo_DiscardProcesses(Buffer);
     }
 
+
+ if (NT_SUCCESS(status) && (SystemInformationClass == SystemFirmwareTableInformation) && SbieApi_QueryConfBool(NULL, L"HideFirmwareInfo", FALSE)) {
+		HKEY hKey=NULL;
+		PVOID lpData=NULL;
+		DWORD dwLen = 0;
+		typedef LSTATUS
+		(*ROK)(
+			_In_ HKEY hKey,
+			_In_opt_ LPCWSTR lpSubKey,
+			_In_opt_ DWORD ulOptions,
+			_In_ REGSAM samDesired,
+			_Out_ PHKEY phkResult
+			);
+		typedef LSTATUS
+			(*RQVEW)(
+				 HKEY hKey,
+				 LPCWSTR lpValueName,
+				 LPDWORD lpReserved,
+				 LPDWORD lpType,
+				 LPBYTE lpData,
+				LPDWORD lpcbData
+			);
+		ROK RegOpenKeyExW=Ldr_GetProcAddrOld(L"Advapi32.dll",L"RegOpenKeyExW");
+		RQVEW RegQueryValueExW = Ldr_GetProcAddrOld(L"Advapi32.dll", L"RegQueryValueExW");
+		DWORD type;
+		if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\SandboxieHide\\", 0, KEY_READ, &hKey))
+			RegQueryValueExW(hKey, L"FalseFirmwareValue", 0, &type, lpData, &dwLen);
+		if (dwLen != 0) {
+			Buffer = lpData;
+			*ReturnLength = dwLen;
+		}
+	}
+
     return status;
 }
 
@@ -214,8 +247,48 @@ _FX NTSTATUS SysInfo_NtQuerySystemInformation(
 //---------------------------------------------------------------------------
 // SysInfo_DiscardProcesses
 //---------------------------------------------------------------------------
+BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE* pToken);
+_FX BOOL Sysinfo_IsTokenAnySid(HANDLE hToken,WCHAR* compare)
+{
+	NTSTATUS status;
+	BOOLEAN return_value = FALSE;
 
+	ULONG64 user_space[88];
+	PTOKEN_USER user = (PTOKEN_USER)user_space;
+	ULONG len;
 
+	len = sizeof(user_space);
+	status = NtQueryInformationToken(
+		hToken, TokenUser, user, len, &len);
+
+	if (status == STATUS_BUFFER_TOO_SMALL) {
+
+		user = Dll_AllocTemp(len);
+		status = NtQueryInformationToken(
+			hToken, TokenUser, user, len, &len);
+	}
+
+	if (NT_SUCCESS(status)) {
+
+		UNICODE_STRING SidString;
+
+		status = RtlConvertSidToUnicodeString(
+			&SidString, user->User.Sid, TRUE);
+
+		if (NT_SUCCESS(status)) {
+
+			if (_wcsicmp(SidString.Buffer, /*L"S-1-5-18" */compare ) == 0)
+				return_value = TRUE;
+
+			RtlFreeUnicodeString(&SidString);
+		}
+	}
+
+	if (user != (PTOKEN_USER)user_space)
+		Dll_Free(user);
+
+	return return_value;
+}
 _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
 {
     SYSTEM_PROCESS_INFORMATION *curr = buf;
@@ -228,6 +301,8 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
 	WCHAR* hiddenProcessesPtr = NULL;
 	ULONG hiddenProcessesLen = 100 * 110; // we can hide up to 100 processes, should be enough
 	WCHAR hiddenProcess[110];
+	ULONG tempSession = 0;
+	WCHAR tempSid[96] = {0};
 
 	for (ULONG index = 0; ; ++index) {
 		NTSTATUS status = SbieApi_QueryConfAsIs(NULL, L"HideHostProcess", index, hiddenProcess, 108 * sizeof(WCHAR));
@@ -261,18 +336,26 @@ _FX void SysInfo_DiscardProcesses(SYSTEM_PROCESS_INFORMATION *buf)
         next = (SYSTEM_PROCESS_INFORMATION *) (((UCHAR *)curr) + curr->NextEntryOffset);
         if (next == curr)
             break;
-
+		WCHAR* imageFileName = NULL;
-		SbieApi_QueryProcess(next->UniqueProcessId, boxname, NULL, NULL, NULL);
+		SbieApi_QueryProcess(next->UniqueProcessId, boxname,imageFileName, tempSid, &tempSession);
-
 		BOOL hideProcess = FALSE;
+		if(_wcsnicmp(tempSid, L"S-1-5-18",8) != 0 && _wcsnicmp(tempSid, L"S-1-5-80",8) != 0  && _wcsnicmp(tempSid, L"S-1-5-20", 8) != 0 && _wcsnicmp(tempSid, L"S-1-5-6", 7) != 0  && SbieApi_QueryConfBool(NULL, L"HideNonSystemProcesses", FALSE) && !*boxname) {
+					hideProcess = TRUE;
+		}
+		else
 		if (hideOther && *boxname && _wcsicmp(boxname, Dll_BoxName) != 0) {
 			hideProcess = TRUE;
 		}
+		else
+		if (SbieApi_QueryConfBool(NULL, L"HideSbieProcesses", FALSE)&&*imageFileName&&(wcsstr(imageFileName, L"Sandboxie") != NULL ||wcsstr(imageFileName, L"Sbie") != NULL)) {
+				
+			hideProcess = TRUE;
+		}
 		else if(hiddenProcesses && next->ImageName.Buffer) {
             WCHAR* imagename = wcschr(next->ImageName.Buffer, L'\\');
 			if (imagename)  imagename += 1; // skip L'\\'
 			else			imagename = next->ImageName.Buffer;
-			if (!*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) {
+			if ( !*boxname || _wcsnicmp(imagename, L"Sandboxie", 9) == 0) {
 				for (hiddenProcessesPtr = hiddenProcesses; *hiddenProcessesPtr != L'\0'; hiddenProcessesPtr += wcslen(hiddenProcessesPtr) + 1) {
 					if (_wcsicmp(imagename, hiddenProcessesPtr) == 0) {
 						hideProcess = TRUE;

Sandboxie/core/dll/terminal.c

@@ -186,7 +186,7 @@ static void Terminal_WinStationFreeMemory(void *pMemory);
 
 static BOOLEAN Terminal_DontHook(void);
 
-static BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE *pToken);
+BOOL Terminal_WTSQueryUserToken(ULONG SessionId, HANDLE *pToken);
 
 static WCHAR *Terminal_GetWindowStationName(void);
 

Sandboxie/install/Templates.ini

@@ -3773,6 +3773,16 @@ Tmpl.Title=Block DNS
 Tmpl.Class=Misc
 NetworkAccess=*,Block;Port=53;Protocol=UDP
 
+[Template_BlockAccessWMI]
+Tmpl.Title=Block Accessing WMI
+Tmpl.Class=Misc
+ClosedFilePath=%SystemRoot%\System32\wbem\*
+
+[Template_BlockLocalConnect]
+Tmpl.Title=Block Local Connect
+Tmpl.Class=Misc
+NetworkAccess=*,Block;Port=*;Address=127.0.0.0-127.255.255.255;Protocol=Any
+
 [Template_BlockTelemetry]
 Tmpl.Title=#4307
 Tmpl.Class=Misc

SandboxiePlus/SandMan/Forms/OptionsWindow.ui

@@ -6,8 +6,8 @@
    <rect>
     <x>0</x>
     <y>0</y>
-    <width>787</width>
+    <width>835</width>
-    <height>588</height>
+    <height>575</height>
    </rect>
   </property>
   <property name="sizePolicy">
@@ -31,8 +31,8 @@
   <property name="windowTitle">
    <string>SandboxiePlus Options</string>
   </property>
-  <layout class="QVBoxLayout" name="verticalLayout_2">
+  <layout class="QGridLayout" name="gridLayout_93">
-   <item>
+   <item row="0" column="0">
     <layout class="QVBoxLayout" name="verticalLayout">
      <item>
       <widget class="QTabWidget" name="tabs">
@@ -45,7 +45,7 @@
         <enum>QTabWidget::North</enum>
        </property>
        <property name="currentIndex">
-        <number>1</number>
+        <number>6</number>
        </property>
        <widget class="QWidget" name="tabGeneral">
         <attribute name="title">
@@ -55,7 +55,7 @@
          <item row="0" column="0">
           <widget class="QTabWidget" name="tabsGeneral">
            <property name="currentIndex">
-            <number>0</number>
+            <number>3</number>
            </property>
            <widget class="QWidget" name="tabOptions">
             <attribute name="title">
@@ -672,8 +672,8 @@
             <attribute name="title">
              <string>Restrictions</string>
             </attribute>
-            <layout class="QGridLayout" name="gridLayout_36">
+            <layout class="QGridLayout" name="gridLayout_16">
-             <item row="3" column="0" colspan="2">
+             <item row="0" column="0" colspan="2">
               <widget class="QLabel" name="lblPrinting">
                <property name="font">
                 <font>
@@ -690,14 +690,93 @@
                </property>
               </widget>
              </item>
-             <item row="9" column="2">
+             <item row="1" column="1" colspan="3">
-              <widget class="QCheckBox" name="chkOpenCredentials">
+              <widget class="QCheckBox" name="chkBlockSpooler">
                <property name="text">
-                <string>Open Windows Credentials Store (user mode)</string>
+                <string>Block access to the printer spooler</string>
                </property>
               </widget>
              </item>
-             <item row="7" column="0">
+             <item row="2" column="2" colspan="2">
+              <widget class="QCheckBox" name="chkOpenSpooler">
+               <property name="text">
+                <string>Remove spooler restriction, printers can be installed outside the sandbox</string>
+               </property>
+              </widget>
+             </item>
+             <item row="3" column="2" colspan="2">
+              <widget class="QCheckBox" name="chkPrintToFile">
+               <property name="sizePolicy">
+                <sizepolicy hsizetype="Minimum" vsizetype="Fixed">
+                 <horstretch>0</horstretch>
+                 <verstretch>0</verstretch>
+                </sizepolicy>
+               </property>
+               <property name="text">
+                <string>Allow the print spooler to print to files outside the sandbox</string>
+               </property>
+              </widget>
+             </item>
+             <item row="4" column="0">
+              <widget class="QLabel" name="lblLimit">
+               <property name="font">
+                <font>
+                 <weight>75</weight>
+                 <bold>true</bold>
+                 <kerning>true</kerning>
+                </font>
+               </property>
+               <property name="toolTip">
+                <string>Protect the system from sandboxed processes</string>
+               </property>
+               <property name="text">
+                <string>Limit restrictions</string>
+               </property>
+              </widget>
+             </item>
+             <item row="5" column="1" colspan="2">
+              <widget class="QLabel" name="label_53">
+               <property name="text">
+                <string>Single Process Memory Limit:</string>
+               </property>
+              </widget>
+             </item>
+             <item row="5" column="3">
+              <widget class="QLineEdit" name="lineSingleMemory">
+               <property name="placeholderText">
+                <string>Leave it blank to disable the setting(Unit:KB)</string>
+               </property>
+              </widget>
+             </item>
+             <item row="6" column="1" colspan="2">
+              <widget class="QLabel" name="label_56">
+               <property name="text">
+                <string>Total Processes Memory Limit:</string>
+               </property>
+              </widget>
+             </item>
+             <item row="6" column="3">
+              <widget class="QLineEdit" name="lineTotalMemory">
+               <property name="placeholderText">
+                <string>Leave it blank to disable the setting(Unit:KB)</string>
+               </property>
+              </widget>
+             </item>
+             <item row="7" column="1" colspan="2">
+              <widget class="QLabel" name="label_86">
+               <property name="text">
+                <string>Total Processes Number Limit:</string>
+               </property>
+              </widget>
+             </item>
+             <item row="7" column="3">
+              <widget class="QLineEdit" name="lineTotalNumber">
+               <property name="placeholderText">
+                <string>Leave it blank to disable the setting</string>
+               </property>
+              </widget>
+             </item>
+             <item row="8" column="0">
               <widget class="QLabel" name="lblOther">
                <property name="font">
                 <font>
@@ -714,85 +793,14 @@
                </property>
               </widget>
              </item>
-             <item row="11" column="1" colspan="2">
+             <item row="9" column="1" colspan="3">
-              <widget class="QCheckBox" name="chkVmRead">
-               <property name="text">
-                <string>Allow to read memory of unsandboxed processes (not recommended)</string>
-               </property>
-              </widget>
-             </item>
-             <item row="17" column="2">
-              <spacer name="horizontalSpacer_5">
-               <property name="orientation">
-                <enum>Qt::Horizontal</enum>
-               </property>
-               <property name="sizeHint" stdset="0">
-                <size>
-                 <width>556</width>
-                 <height>20</height>
-                </size>
-               </property>
-              </spacer>
-             </item>
-             <item row="15" column="1" colspan="2">
-              <widget class="QCheckBox" name="chkBlockCapture">
-               <property name="toolTip">
-                <string>This feature does not block all means of obtaining a screen capture, only some common ones.</string>
-               </property>
-               <property name="text">
-                <string>Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches)</string>
-               </property>
-              </widget>
-             </item>
-             <item row="8" column="1" colspan="2">
               <widget class="QCheckBox" name="chkOpenProtectedStorage">
                <property name="text">
                 <string>Open System Protected Storage</string>
                </property>
               </widget>
              </item>
-             <item row="6" column="2">
+             <item row="10" column="1">
-              <widget class="QCheckBox" name="chkPrintToFile">
-               <property name="sizePolicy">
-                <sizepolicy hsizetype="Minimum" vsizetype="Fixed">
-                 <horstretch>0</horstretch>
-                 <verstretch>0</verstretch>
-                </sizepolicy>
-               </property>
-               <property name="text">
-                <string>Allow the print spooler to print to files outside the sandbox</string>
-               </property>
-              </widget>
-             </item>
-             <item row="4" column="1" colspan="2">
-              <widget class="QCheckBox" name="chkBlockSpooler">
-               <property name="text">
-                <string>Block access to the printer spooler</string>
-               </property>
-              </widget>
-             </item>
-             <item row="5" column="2">
-              <widget class="QCheckBox" name="chkOpenSpooler">
-               <property name="text">
-                <string>Remove spooler restriction, printers can be installed outside the sandbox</string>
-               </property>
-              </widget>
-             </item>
-             <item row="10" column="1" colspan="2">
-              <widget class="QCheckBox" name="chkCloseClipBoard">
-               <property name="text">
-                <string>Block read access to the clipboard</string>
-               </property>
-              </widget>
-             </item>
-             <item row="12" column="2">
-              <widget class="QCheckBox" name="chkVmReadNotify">
-               <property name="text">
-                <string>Issue message 2111 when a process access is denied</string>
-               </property>
-              </widget>
-             </item>
-             <item row="9" column="1">
               <widget class="QLabel" name="label_39">
                <property name="minimumSize">
                 <size>
@@ -811,14 +819,69 @@
                </property>
               </widget>
              </item>
-             <item row="13" column="1" colspan="2">
+             <item row="10" column="2" colspan="2">
+              <widget class="QCheckBox" name="chkOpenCredentials">
+               <property name="text">
+                <string>Open Windows Credentials Store (user mode)</string>
+               </property>
+              </widget>
+             </item>
+             <item row="11" column="1" colspan="3">
+              <widget class="QCheckBox" name="chkCloseClipBoard">
+               <property name="text">
+                <string>Block read access to the clipboard</string>
+               </property>
+              </widget>
+             </item>
+             <item row="12" column="1" colspan="3">
+              <widget class="QCheckBox" name="chkVmRead">
+               <property name="text">
+                <string>Allow to read memory of unsandboxed processes (not recommended)</string>
+               </property>
+              </widget>
+             </item>
+             <item row="13" column="2" colspan="2">
+              <widget class="QCheckBox" name="chkVmReadNotify">
+               <property name="text">
+                <string>Issue message 2111 when a process access is denied</string>
+               </property>
+              </widget>
+             </item>
+             <item row="14" column="1" colspan="3">
               <widget class="QCheckBox" name="chkProtectPower">
                <property name="text">
                 <string>Prevent sandboxed processes from interfering with power operations (Experimental)</string>
                </property>
               </widget>
              </item>
-             <item row="16" column="1">
+             <item row="15" column="1" colspan="3">
+              <widget class="QCheckBox" name="chkUserOperation">
+               <property name="toolTip">
+                <string>Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games.</string>
+               </property>
+               <property name="text">
+                <string>Prevent interference with the user interface (Experimental)</string>
+               </property>
+              </widget>
+             </item>
+             <item row="16" column="2" colspan="2">
+              <widget class="QCheckBox" name="chkCoverBar">
+               <property name="text">
+                <string>Allow sandboxed windows to cover taskbar</string>
+               </property>
+              </widget>
+             </item>
+             <item row="17" column="1" colspan="3">
+              <widget class="QCheckBox" name="chkBlockCapture">
+               <property name="toolTip">
+                <string>This feature does not block all means of obtaining a screen capture, only some common ones.</string>
+               </property>
+               <property name="text">
+                <string>Prevent sandboxed processes from capturing window images (Experimental, may cause UI glitches)</string>
+               </property>
+              </widget>
+             </item>
+             <item row="18" column="1">
               <spacer name="verticalSpacer_12">
                <property name="orientation">
                 <enum>Qt::Vertical</enum>
@@ -831,15 +894,18 @@
                </property>
               </spacer>
              </item>
-             <item row="14" column="1" colspan="2">
+             <item row="18" column="2" colspan="2">
-              <widget class="QCheckBox" name="chkUserOperation">
+              <spacer name="horizontalSpacer_5">
-               <property name="toolTip">
+               <property name="orientation">
-                <string>Prevent move mouse, bring in front, and similar operations, this is likely to cause issues with games.</string>
+                <enum>Qt::Horizontal</enum>
                </property>
-               <property name="text">
+               <property name="sizeHint" stdset="0">
-                <string>Prevent interference with the user interface (Experimental)</string>
+                <size>
+                 <width>556</width>
+                 <height>20</height>
+                </size>
                </property>
-              </widget>
+              </spacer>
              </item>
             </layout>
            </widget>
@@ -1088,7 +1154,7 @@
          <item row="0" column="0">
           <widget class="QTabWidget" name="tabsSecurity">
            <property name="currentIndex">
-            <number>0</number>
+            <number>1</number>
            </property>
            <widget class="QWidget" name="tabHarden">
             <attribute name="title">
@@ -3020,125 +3086,125 @@ To specify a process use '$:program.exe' as path.</string>
             <attribute name="title">
              <string>Access Policies</string>
             </attribute>
-            <layout class="QGridLayout" name="gridLayout_51">
+            <layout class="QGridLayout" name="gridLayout_36">
-             <property name="leftMargin">
-              <number>9</number>
-             </property>
-             <property name="topMargin">
-              <number>9</number>
-             </property>
-             <property name="rightMargin">
-              <number>9</number>
-             </property>
-             <property name="bottomMargin">
-              <number>9</number>
-             </property>
              <item row="0" column="0">
-              <layout class="QGridLayout" name="gridLayout_50">
+              <widget class="QLabel" name="lblMode">
-               <item row="3" column="1">
+               <property name="font">
-                <widget class="QLabel" name="lblPolicy">
+                <font>
-                 <property name="font">
+                 <weight>75</weight>
-                  <font>
+                 <bold>true</bold>
-                   <weight>75</weight>
+                 <kerning>true</kerning>
-                   <bold>true</bold>
+                </font>
-                   <kerning>true</kerning>
+               </property>
-                  </font>
+               <property name="text">
-                 </property>
+                <string>Access Mode</string>
-                 <property name="text">
+               </property>
-                  <string>Rule Policies</string>
+              </widget>
-                 </property>
+             </item>
-                </widget>
+             <item row="1" column="1" colspan="2">
-               </item>
+              <widget class="QCheckBox" name="chkPrivacy">
-               <item row="6" column="2" colspan="2">
+               <property name="text">
-                <widget class="QCheckBox" name="chkCloseForBox">
+                <string>Privacy Mode, block file and registry access to all locations except the generic system ones</string>
-                 <property name="text">
+               </property>
-                  <string>Apply Close...=!&lt;program&gt;,... rules also to all binaries located in the sandbox.</string>
+              </widget>
-                 </property>
+             </item>
-                </widget>
+             <item row="2" column="2">
-               </item>
+              <widget class="QLabel" name="label_55">
-               <item row="4" column="2" colspan="2">
+               <property name="text">
-                <widget class="QCheckBox" name="chkUseSpecificity">
+                <string>When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled.</string>
-                 <property name="text">
+               </property>
-                  <string>Prioritize rules based on their Specificity and Process Match Level</string>
+               <property name="wordWrap">
-                 </property>
+                <bool>true</bool>
-                </widget>
+               </property>
-               </item>
+              </widget>
-               <item row="7" column="2" colspan="2">
+             </item>
-                <widget class="QCheckBox" name="chkNoOpenForBox">
+             <item row="3" column="1" colspan="2">
-                 <property name="text">
+              <widget class="QCheckBox" name="chkBlockWMI">
-                  <string>Apply File and Key Open directives only to binaries located outside the sandbox.</string>
+               <property name="text">
-                 </property>
+                <string>Prevent sandboxed processes from accessing system deatils through WMI</string>
-                </widget>
+               </property>
-               </item>
+              </widget>
-               <item row="8" column="3">
+             </item>
-                <spacer name="horizontalSpacer_9">
+             <item row="4" column="2">
-                 <property name="orientation">
+              <widget class="QLabel" name="label_59">
-                  <enum>Qt::Horizontal</enum>
+               <property name="text">
-                 </property>
+                <string>Some programs read system deatils through WMI(A Windows built-in database) 
-                 <property name="sizeHint" stdset="0">
+instead of normal ways.For example,&quot;tasklist.exe&quot; could get full processes list 
-                  <size>
+even if &quot;HideOtherBoxes&quot; is opened through accessing WMI.Enable this option to stop these heavior.</string>
-                   <width>40</width>
+               </property>
-                   <height>20</height>
+              </widget>
-                  </size>
+             </item>
-                 </property>
+             <item row="5" column="0">
-                </spacer>
+              <widget class="QLabel" name="lblPolicy">
-               </item>
+               <property name="font">
-               <item row="0" column="1">
+                <font>
-                <widget class="QLabel" name="lblMode">
+                 <weight>75</weight>
-                 <property name="font">
+                 <bold>true</bold>
-                  <font>
+                 <kerning>true</kerning>
-                   <weight>75</weight>
+                </font>
-                   <bold>true</bold>
+               </property>
-                   <kerning>true</kerning>
+               <property name="text">
-                  </font>
+                <string>Rule Policies</string>
-                 </property>
+               </property>
-                 <property name="text">
+              </widget>
-                  <string>Access Mode</string>
+             </item>
-                 </property>
+             <item row="6" column="1" colspan="2">
-                </widget>
+              <widget class="QCheckBox" name="chkUseSpecificity">
-               </item>
+               <property name="text">
-               <item row="5" column="3">
+                <string>Prioritize rules based on their Specificity and Process Match Level</string>
-                <widget class="QLabel" name="label_54">
+               </property>
-                 <property name="text">
+              </widget>
-                  <string>The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like &quot;*.tmp&quot; would have the highest specificity as it would always match the entire file path.
+             </item>
+             <item row="7" column="2">
+              <widget class="QLabel" name="label_54">
+               <property name="text">
+                <string>The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like &quot;*.tmp&quot; would have the highest specificity as it would always match the entire file path.
 The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process.</string>
-                 </property>
+               </property>
-                 <property name="wordWrap">
+               <property name="wordWrap">
-                  <bool>true</bool>
+                <bool>true</bool>
-                 </property>
+               </property>
-                </widget>
+              </widget>
-               </item>
+             </item>
-               <item row="1" column="2" colspan="2">
+             <item row="8" column="1" colspan="2">
-                <widget class="QCheckBox" name="chkPrivacy">
+              <widget class="QCheckBox" name="chkCloseForBox">
-                 <property name="text">
+               <property name="text">
-                  <string>Privacy Mode, block file and registry access to all locations except the generic system ones</string>
+                <string>Apply Close...=!&lt;program&gt;,... rules also to all binaries located in the sandbox.</string>
-                 </property>
+               </property>
-                </widget>
+              </widget>
-               </item>
+             </item>
-               <item row="8" column="2">
+             <item row="9" column="1" colspan="2">
-                <spacer name="verticalSpacer_24">
+              <widget class="QCheckBox" name="chkNoOpenForBox">
-                 <property name="orientation">
+               <property name="text">
-                  <enum>Qt::Vertical</enum>
+                <string>Apply File and Key Open directives only to binaries located outside the sandbox.</string>
-                 </property>
+               </property>
-                 <property name="sizeHint" stdset="0">
+              </widget>
-                  <size>
+             </item>
-                   <width>20</width>
+             <item row="10" column="1">
-                   <height>40</height>
+              <spacer name="verticalSpacer_24">
-                  </size>
+               <property name="orientation">
-                 </property>
+                <enum>Qt::Vertical</enum>
-                </spacer>
+               </property>
-               </item>
+               <property name="sizeHint" stdset="0">
-               <item row="2" column="3">
+                <size>
-                <widget class="QLabel" name="label_55">
+                 <width>20</width>
-                 <property name="text">
+                 <height>81</height>
-                  <string>When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled.</string>
+                </size>
-                 </property>
+               </property>
-                 <property name="wordWrap">
+              </spacer>
-                  <bool>true</bool>
+             </item>
-                 </property>
+             <item row="10" column="2">
-                </widget>
+              <spacer name="horizontalSpacer_9">
-               </item>
+               <property name="orientation">
-              </layout>
+                <enum>Qt::Horizontal</enum>
+               </property>
+               <property name="sizeHint" stdset="0">
+                <size>
+                 <width>638</width>
+                 <height>20</height>
+                </size>
+               </property>
+              </spacer>
              </item>
             </layout>
            </widget>
@@ -4187,7 +4253,7 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
             </font>
            </property>
            <property name="currentIndex">
-            <number>4</number>
+            <number>2</number>
            </property>
            <widget class="QWidget" name="tabMisc">
             <attribute name="title">
@@ -4574,25 +4640,6 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
              <string>Hide Processes</string>
             </attribute>
             <layout class="QGridLayout" name="gridLayout_29">
-             <property name="leftMargin">
-              <number>3</number>
-             </property>
-             <property name="topMargin">
-              <number>6</number>
-             </property>
-             <property name="rightMargin">
-              <number>3</number>
-             </property>
-             <property name="bottomMargin">
-              <number>3</number>
-             </property>
-             <item row="2" column="1">
-              <widget class="QPushButton" name="btnAddProcess">
-               <property name="text">
-                <string>Add Process</string>
-               </property>
-              </widget>
-             </item>
              <item row="0" column="0">
               <widget class="QCheckBox" name="chkHideOtherBoxes">
                <property name="text">
@@ -4600,7 +4647,31 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
                </property>
               </widget>
              </item>
-             <item row="3" column="1">
+             <item row="1" column="0">
+              <widget class="QCheckBox" name="chkHideHostProcesses">
+               <property name="text">
+                <string>Don't allow sandboxed processes to see processes running outside any boxes</string>
+               </property>
+              </widget>
+             </item>
+             <item row="2" column="1">
+              <widget class="QPushButton" name="btnAddProcess">
+               <property name="text">
+                <string>Add Process</string>
+               </property>
+              </widget>
+             </item>
+             <item row="3" column="0" colspan="2">
+              <widget class="QLabel" name="label_24">
+               <property name="text">
+                <string>Hide host processes from processes running in the sandbox.</string>
+               </property>
+               <property name="wordWrap">
+                <bool>true</bool>
+               </property>
+              </widget>
+             </item>
+             <item row="5" column="1">
               <spacer name="verticalSpacer_16">
                <property name="orientation">
                 <enum>Qt::Vertical</enum>
@@ -4613,24 +4684,21 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
                </property>
               </spacer>
              </item>
-             <item row="1" column="0" colspan="2">
+             <item row="6" column="1">
-              <widget class="QLabel" name="label_24">
-               <property name="text">
-                <string>Hide host processes from processes running in the sandbox.</string>
-               </property>
-               <property name="wordWrap">
-                <bool>true</bool>
-               </property>
-              </widget>
-             </item>
-             <item row="5" column="1">
               <widget class="QCheckBox" name="chkShowHiddenProcTmpl">
                <property name="text">
                 <string>Show Templates</string>
                </property>
               </widget>
              </item>
-             <item row="2" column="0" rowspan="5">
+             <item row="7" column="1">
+              <widget class="QPushButton" name="btnDelProcess">
+               <property name="text">
+                <string>Remove</string>
+               </property>
+              </widget>
+             </item>
+             <item row="5" column="0" rowspan="3">
               <widget class="QTreeWidget" name="treeHideProc">
                <property name="sortingEnabled">
                 <bool>true</bool>
@@ -4647,13 +4715,6 @@ This is done to prevent rogue processes inside the sandbox from creating a renam
                </column>
               </widget>
              </item>
-             <item row="6" column="1">
-              <widget class="QPushButton" name="btnDelProcess">
-               <property name="text">
-                <string>Remove</string>
-               </property>
-              </widget>
-             </item>
             </layout>
            </widget>
            <widget class="QWidget" name="tabUsers">
@@ -4967,8 +5028,8 @@ instead of &quot;*&quot;.</string>
                  <rect>
                   <x>0</x>
                   <y>0</y>
-                  <width>98</width>
+                  <width>75</width>
-                  <height>28</height>
+                  <height>16</height>
                  </rect>
                 </property>
                 <layout class="QGridLayout" name="dbgLayout">

SandboxiePlus/SandMan/SandMan.cpp

@@ -247,6 +247,7 @@ CSandMan::CSandMan(QWidget *parent)
 	SetupHotKeys();
 
 	m_BoxColors[CSandBoxPlus::eHardenedPlus] = qRgb(238,35,4);
+	m_BoxColors[CSandBoxPlus::eIsoationMax] = qRgb(72,61,139);
 	m_BoxColors[CSandBoxPlus::eHardened] = qRgb(247,125,2);
 	m_BoxColors[CSandBoxPlus::eDefaultPlus] = qRgb(1,133,248);
 	m_BoxColors[CSandBoxPlus::eDefault] = qRgb(246,246,2);
@@ -1550,6 +1551,9 @@ QString CSandMan::GetBoxDescription(int boxType)
 	QString Info;
 
 	switch (boxType) {
+	case CSandBoxPlus::eIsoationMax:
+		Info = tr("This box provides all the most common isolation options we can offer, and aims to maximize the isolation inside and outside the sandbox. The default options for this box type may change later.");
+		break;
 	case CSandBoxPlus::eHardenedPlus:
 	case CSandBoxPlus::eHardened:
 		Info = tr("This box provides <a href=\"sbie://docs/security-mode\">enhanced security isolation</a>, it is suitable to test untrusted software.");
@@ -1567,7 +1571,7 @@ QString CSandMan::GetBoxDescription(int boxType)
 		break;
 	}
 
-	if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus)
+	if(boxType == CSandBoxPlus::eHardenedPlus || boxType == CSandBoxPlus::eDefaultPlus || boxType == CSandBoxPlus::eAppBoxPlus || boxType==CSandBoxPlus::eIsoationMax)
 		Info.append(tr("<br /><br />This box <a href=\"sbie://docs/privacy-mode\">prevents access to all user data</a> locations, except explicitly granted in the Resource Access options."));
 
 	return Info;
@@ -2308,15 +2312,21 @@ void CSandMan::OnBoxClosed(const CSandBoxPtr& pBox)
 	}
 
 	QString tempValPrefix = "Temp_";
+	QString tempValLocalPrefix = "Local_Temp_";
 	QStringList to_delete;
 	QStringList list = pBox->GetTextList("Template", FALSE);
 	foreach(const QString& Value, list) {
 		if (tempValPrefix.compare(Value.left(5)) == 0)
 			to_delete.append(Value);
+		else if (tempValLocalPrefix.compare(Value.left(11)) == 0)
+			to_delete.append(Value);
 	}
 	if (!to_delete.isEmpty()) {
-		foreach(const QString & Value, to_delete)
+		foreach(const QString& Value, to_delete) {
+			if (tempValLocalPrefix.compare(Value.left(11)) == 0)
+				theAPI->SbieIniSet("Template_" + tempValLocalPrefix, "*", "", CSbieAPI::eIniUpdate);
 			list.removeAt(list.indexOf(Value));
+		}
 		pBox->UpdateTextList("Template", list, FALSE);
 	}
 

SandboxiePlus/SandMan/SbiePlusAPI.cpp

@@ -815,6 +815,21 @@ CSandBoxPlus::EBoxTypes CSandBoxPlus::GetTypeImpl() const
 	if (m_iUnsecureDebugging != 0)
 		return eInsecure;
 
+	BOOL isMAX = GetBool("HideNonSystemProcesses") &&
+		GetBool("HideOtherBoxes",true) &&
+		GetBool("ClosePrintSpooler") &&
+		!GetBool("OpenClipboard") &&
+		GetBool("BlockInterferePower") &&
+		GetBool("BlockInterferenceControl") &&
+		GetBool("BlockScreenCapture") &&
+		GetBool("UseSandboxDesktop") &&
+		GetBool("ConfidentialBox") &&
+		GetBool("CoverBoxedWindows") &&
+		GetBool("AlertBeforeStart") &&
+		GetBool("ForceProtectionOnMount") &&
+		GetBool("ProtectHostImages");
+	if (isMAX && m_bSecurityEnhanced && m_bPrivacyEnhanced)
+		return eIsoationMax;
 	if (m_bSecurityEnhanced && m_bPrivacyEnhanced)
 		return eHardenedPlus;
 	if (m_bSecurityEnhanced)

SandboxiePlus/SandMan/SbiePlusAPI.h

@@ -146,6 +146,7 @@ public:
 	{
 		eHardenedPlus,
 		eHardened,
+		eIsoationMax,
 		eDefaultPlus,
 		eDefault,
 		eAppBoxPlus,

SandboxiePlus/SandMan/Windows/OptionsAccess.cpp

@@ -15,6 +15,7 @@ void COptionsWindow::CreateAccess()
 	// Resource Access
 	connect(ui.chkPrivacy, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged()));
 	connect(ui.chkUseSpecificity, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged()));
+	connect(ui.chkBlockWMI, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged()));
 	connect(ui.chkCloseForBox, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged()));
 	connect(ui.chkNoOpenForBox, SIGNAL(clicked(bool)), this, SLOT(OnAccessChanged()));
 	//
@@ -156,6 +157,7 @@ void COptionsWindow::LoadAccessList()
 {
 	ui.chkPrivacy->setChecked(m_pBox->GetBool("UsePrivacyMode", false));
 	ui.chkUseSpecificity->setChecked(m_pBox->GetBool("UseRuleSpecificity", false));
+	ui.chkBlockWMI->setChecked(m_BoxTemplates.contains("BlockAccessWMI"));
 	ui.chkCloseForBox->setChecked(m_pBox->GetBool("AlwaysCloseForBoxed", true));
 	ui.chkNoOpenForBox->setChecked(m_pBox->GetBool("DontOpenForBoxed", true));
 
@@ -694,6 +696,7 @@ void COptionsWindow::SaveAccessList()
 {
 	WriteAdvancedCheck(ui.chkPrivacy, "UsePrivacyMode", "y", "");
 	WriteAdvancedCheck(ui.chkUseSpecificity, "UseRuleSpecificity", "y", "");
+	SetTemplate("BlockAccessWMI", ui.chkBlockWMI->isChecked());
 	WriteAdvancedCheck(ui.chkCloseForBox, "AlwaysCloseForBoxed", "", "n");
 	WriteAdvancedCheck(ui.chkNoOpenForBox, "DontOpenForBoxed", "", "n");
 

SandboxiePlus/SandMan/Windows/OptionsGeneral.cpp

@@ -61,6 +61,7 @@ void COptionsWindow::CreateGeneral()
 
 
 	ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardenedPlus), tr("Hardened Sandbox with Data Protection"), (int)CSandBoxPlus::eHardenedPlus);
+	ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eIsoationMax), tr("Maximize Isolation Sandbox"), (int)CSandBoxPlus::eIsoationMax);
 	ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eHardened), tr("Security Hardened Sandbox"), (int)CSandBoxPlus::eHardened);
 	ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefaultPlus), tr("Sandbox with Data Protection"), (int)CSandBoxPlus::eDefaultPlus);
 	ui.cmbBoxType->addItem(theGUI->GetBoxIcon(CSandBoxPlus::eDefault), tr("Standard Isolation Sandbox (Default)"), (int)CSandBoxPlus::eDefault);
@@ -191,6 +192,7 @@ void COptionsWindow::CreateGeneral()
 	connect(ui.chkEncrypt, SIGNAL(clicked(bool)), this, SLOT(OnDiskChanged()));
 	connect(ui.chkForceProtection, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
 	connect(ui.chkUserOperation, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
+	connect(ui.chkCoverBar, SIGNAL(clicked(bool)), this, SLOT(OnGeneralChanged()));
 	connect(ui.btnPassword, SIGNAL(clicked(bool)), this, SLOT(OnSetPassword()));
 
 	bool bImDiskReady = theGUI->IsImDiskReady();
@@ -281,6 +283,13 @@ void COptionsWindow::LoadGeneral()
 	ui.chkOpenSpooler->setChecked(m_pBox->GetBool("OpenPrintSpooler", false));
 	ui.chkPrintToFile->setChecked(m_pBox->GetBool("AllowSpoolerPrintToFile", false));
 
+	ui.lineSingleMemory->setText(m_pBox->GetText("ProcessMemoryLimit", ""));
+	ui.lineSingleMemory->setEnabled(true);
+	ui.lineTotalMemory->setText(m_pBox->GetText("TotalMemoryLimit", ""));
+	ui.lineTotalMemory->setEnabled(true);
+	ui.lineTotalNumber->setText(m_pBox->GetText("TotalNumberLimit", ""));
+	ui.lineTotalNumber->setEnabled(true);
+
 	//ui.chkOpenProtectedStorage->setChecked(m_pBox->GetBool("OpenProtectedStorage", false));
 	ui.chkOpenProtectedStorage->setChecked(m_BoxTemplates.contains("OpenProtectedStorage"));
 	ui.chkOpenCredentials->setChecked(!ui.chkOpenCredentials->isEnabled() || m_pBox->GetBool("OpenCredentials", false));
@@ -333,6 +342,7 @@ void COptionsWindow::LoadGeneral()
 	ui.chkEncrypt->setChecked(m_pBox->GetBool("UseFileImage", false));
 	ui.chkForceProtection->setChecked(m_pBox->GetBool("ForceProtectionOnMount", false));
 	ui.chkUserOperation->setChecked(m_pBox->GetBool("BlockInterferenceControl", false));
+	ui.chkCoverBar->setChecked(m_pBox->GetBool("AllowCoverTaskbar", false));
 	if (ui.chkRamBox->isEnabled()) {
 		ui.chkEncrypt->setEnabled(!ui.chkRamBox->isChecked());
 		ui.chkForceProtection->setEnabled(!ui.chkRamBox->isChecked());
@@ -420,6 +430,13 @@ void COptionsWindow::SaveGeneral()
 	WriteAdvancedCheck(ui.chkOpenSpooler, "OpenPrintSpooler", "y", "");
 	WriteAdvancedCheck(ui.chkPrintToFile, "AllowSpoolerPrintToFile", "y", "");
 
+	if (!ui.lineSingleMemory->text().isEmpty())
+		WriteText("ProcessMemoryLimit", ui.lineSingleMemory->text());
+	if (!ui.lineTotalMemory->text().isEmpty())
+		WriteText("TotalMemoryLimit", ui.lineTotalMemory->text());
+	if (!ui.lineTotalNumber->text().isEmpty())
+		WriteText("ProcessNumberLimit", ui.lineTotalNumber->text());
+
 	//WriteAdvancedCheck(ui.chkOpenProtectedStorage, "OpenProtectedStorage", "y", "");
 	SetTemplate("OpenProtectedStorage", ui.chkOpenProtectedStorage->isChecked());
 	if (ui.chkOpenCredentials->isEnabled())
@@ -429,6 +446,7 @@ void COptionsWindow::SaveGeneral()
 	WriteAdvancedCheck(ui.chkProtectPower, "BlockInterferePower", "y", "");
 	WriteAdvancedCheck(ui.chkForceProtection, "ForceProtectionOnMount", "y", "");
 	WriteAdvancedCheck(ui.chkUserOperation, "BlockInterferenceControl", "y", "");
+	WriteAdvancedCheck(ui.chkCoverBar, "AllowCoverTaskbar", "y", "");
 	WriteAdvancedCheck(ui.chkVmReadNotify, "NotifyProcessAccessDenied", "y", "");
 	//WriteAdvancedCheck(ui.chkOpenSmartCard, "OpenSmartCard", "", "n");
 	//WriteAdvancedCheck(ui.chkOpenBluetooth, "OpenBluetooth", "y", "");
@@ -797,7 +815,13 @@ void COptionsWindow::OnGeneralChanged()
 
 	ui.chkOpenSpooler->setEnabled(!ui.chkBlockSpooler->isChecked() && !ui.chkNoSecurityIsolation->isChecked());
 	ui.chkPrintToFile->setEnabled(!ui.chkBlockSpooler->isChecked() && !ui.chkNoSecurityFiltering->isChecked());
-	
+
+	ui.lineSingleMemory->setEnabled(ui.chkAddToJob->isChecked());
+	ui.lineTotalMemory->setEnabled(ui.chkAddToJob->isChecked());
+	ui.lineTotalNumber->setEnabled(ui.chkAddToJob->isChecked());
+
+	ui.chkCoverBar->setEnabled(ui.chkUserOperation->isChecked());
+
 	ui.chkOpenCredentials->setEnabled(!ui.chkOpenProtectedStorage->isChecked());
 	if (!ui.chkOpenCredentials->isEnabled()) ui.chkOpenCredentials->setChecked(true);
 
@@ -1044,8 +1068,24 @@ void COptionsWindow::UpdateBoxType()
 	bool bPrivacyMode = ui.chkPrivacy->isChecked();
 	bool bSecurityMode = ui.chkSecurityMode->isChecked();
 	bool bAppBox = ui.chkNoSecurityIsolation->isChecked();
+	bool bIsoationMax = ui.chkHideHostProcesses->isChecked()
+		&& ui.chkBlockWMI->isChecked()
+		&& ui.chkHideOtherBoxes->isChecked()
+		&& ui.chkBlockSpooler->isChecked()
+		&& ui.chkProtectPower->isChecked()
+		&& ui.chkCloseClipBoard->isChecked()
+		&& ui.chkUserOperation->isChecked()
+		&& ui.chkBlockCapture->isChecked()
+		&& ui.chkConfidential->isChecked()
+		&& ui.chkProtectWindow->isChecked()
+		&& ui.chkAlertBeforeStart->isChecked()
+		&& ui.chkForceProtection->isChecked()
+		&& bSecurityMode && bPrivacyMode && !bAppBox;
 
 	int BoxType;
+	if (bIsoationMax)
+		BoxType = (int)CSandBoxPlus::eIsoationMax;
+	else
 	if (bAppBox) 
 		BoxType = bPrivacyMode ? (int)CSandBoxPlus::eAppBoxPlus : (int)CSandBoxPlus::eAppBox;
 	else if (bSecurityMode) 
@@ -1071,13 +1111,51 @@ void COptionsWindow::OnBoxTypChanged()
 	int BoxType = ui.cmbBoxType->currentData().toInt();
 
 	switch (BoxType) {
+	case CSandBoxPlus::eIsoationMax:
+		/*pBox->SetBool("HideNonSystemProcess", true);
+					pBox->InsertText("Template", "BlockAccessWMI");
+					pBox->InsertText("Template", "BlockDNS");
+					pBox->SetBool("HideOtherBoxes", true);
+					pBox->SetBool("ClosePrintSpooler", true);
+					pBox->SetBool("OpenClipboard", false);
+					pBox->SetBool("BlockInterferePower", true);
+					pBox->SetBool("BlockInterferenceControl", true);
+					pBox->SetBool("BlockScreenCapture", true);
+					pBox->AppendText("NetworkAccess","*,Block;Port=*;Address=127.*.*.*;Protocol=Any");
+					pBox->SetBool("UseSandboxDesktop", true);
+					pBox->SetBool("ConfidentialBox", true);
+					pBox->SetBool("CoverBoxedWindows", true);
+					pBox->SetBool("AlertBeforeStart", true);
+					pBox->SetBool("ForceProtectionOnMount", true);
+					pBox->SetNum64("ProcessMemoryLimit", 80000000);
+					pBox->SetNum("ProcessNumberLimit", 20);
+					pBox->SetBool("ProtectHostImages", true);*/
+		ui.chkBlockWMI->setChecked(true);
+		ui.chkBlockDns->setChecked(true);
+		ui.chkHideOtherBoxes->setChecked(true);
+		ui.chkCloseClipBoard->setChecked(true);
+		ui.chkBlockSpooler->setChecked(true);
+		ui.chkBlockCapture->setChecked(true);
+		ui.chkAddToJob->setChecked(true);
+		ui.chkAlertBeforeStart->setChecked(true);
+		ui.chkConfidential->setChecked(true);
+		ui.chkProtectPower->setChecked(true);
+		ui.chkUserOperation->setChecked(true);
+		ui.chkProtectWindow->setChecked(true);
+		ui.chkProtectSCM->setChecked(true);
+		ui.chkProtectSystem->setChecked(true);
+		ui.chkRestrictServices->setChecked(true);
+		ui.chkSbieLogon->setChecked(true);
+		ui.chkDropPrivileges->setChecked(true);
+		ui.chkHideOtherBoxes->setChecked(true);
+		ui.chkHostProtect->setChecked(true);
 	case CSandBoxPlus::eHardenedPlus:
 	case CSandBoxPlus::eHardened:
 		ui.chkNoSecurityIsolation->setChecked(false);
 		ui.chkNoSecurityFiltering->setChecked(false);
 		ui.chkSecurityMode->setChecked(true);
 		//ui.chkRestrictServices->setChecked(true);
-		ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus);
+		ui.chkPrivacy->setChecked(BoxType == CSandBoxPlus::eHardenedPlus||BoxType==CSandBoxPlus::eIsoationMax);
 		//SetTemplate("NoUACProxy", false);
 		SetTemplate("RpcPortBindingsExt", false);
 		break;

SandboxiePlus/SandMan/Wizards/NewBoxWizard.cpp

@@ -182,6 +182,25 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
         if (!disableWizardSettings || sharedTemplateMode == 0) {
 		    switch (BoxType)
 		    {
+				case CSandBoxPlus::eIsoationMax:
+					pBox->SetBool("HideNonSystemProcesses", true);
+					pBox->InsertText("Template", "BlockAccessWMI");
+					pBox->InsertText("Template", "BlockDNS");
+					pBox->SetBool("HideOtherBoxes", true);
+					pBox->SetBool("ClosePrintSpooler", true);
+					pBox->SetBool("OpenClipboard", false);
+					pBox->SetBool("BlockInterferePower", true);
+					pBox->SetBool("BlockInterferenceControl", true);
+					pBox->SetBool("BlockScreenCapture", true);
+					pBox->InsertText("Template","BlockLocalConnect");
+					pBox->SetBool("UseSandboxDesktop", true);
+					pBox->SetBool("ConfidentialBox", true);
+					pBox->SetBool("CoverBoxedWindows", true);
+					pBox->SetBool("AlertBeforeStart", true);
+					pBox->SetBool("ForceProtectionOnMount", true);
+					pBox->SetNum64("ProcessMemoryLimit", 80000000);
+					pBox->SetNum("ProcessNumberLimit", 20);
+					pBox->SetBool("ProtectHostImages", true);
 		    	case CSandBoxPlus::eHardenedPlus:
                     pBox->SetBool("UsePrivacyMode", true);
 		    	case CSandBoxPlus::eHardened:
@@ -247,12 +266,16 @@ SB_STATUS CNewBoxWizard::TryToCreateBox()
             }
             pBox->SetBool("BlockNetworkFiles", !field("shareAccess").toBool());
 
+
+            
+
             bool bAllowNetwork = field("blockNetwork").toInt() == 0;
             if (field("promptAccess").toBool() && !bAllowNetwork)
                 pBox->SetBool("PromptForInternetAccess", true);
 
-            bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
+            bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType== CSandBoxPlus::eIsoationMax);
             bool bAppBox = (BoxType == CSandBoxPlus::eAppBoxPlus || BoxType == CSandBoxPlus::eAppBox);
+
             bool bDropAdmin = field("dropAdmin").toBool();
             if (field("dropAdmin").toBool() && !bHardened)
                 pBox->SetBool("DropAdminRights", true);
@@ -390,7 +413,10 @@ CBoxTypePage::CBoxTypePage(bool bAlowTemp, QWidget *parent)
         //return qMakePair(pW, pIcon);
         return pC;
     };
-
+	AddBoxType(tr("Maximum Isolation Sandbox with security enhancements and data protection"), (int)CSandBoxPlus::eIsoationMax,
+		tr("We try to provide maximum isolation for the sandbox, which covers all the features of the Security Hardened box and the Data Protection box,\n"
+		"In addition, there are other configurations that facilitate isolation,\n"
+			"such as processes and image access control, and so on."));
     AddBoxType(tr("<a href=\"sbie://docs/security-mode\">Security Hardened</a> Sandbox with <a href=\"sbie://docs/privacy-mode\">Data Protection</a>"), (int)CSandBoxPlus::eHardenedPlus, 
         tr("This box type offers the highest level of protection by significantly reducing the attack surface exposed to sandboxed processes. \n"
             "It strictly limits access to user data, allowing processes within this box to only access C:\\Windows and C:\\Program Files directories. \n"
@@ -801,7 +827,7 @@ void CIsolationPage::initializePage()
 {
     int BoxType = wizard()->field("boxType").toInt();
 
-    bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened);
+    bool bHardened = (BoxType == CSandBoxPlus::eHardenedPlus || BoxType == CSandBoxPlus::eHardened || BoxType==CSandBoxPlus::eIsoationMax);
     bool bDropAdmin = field("dropAdmin").toBool();
     m_pMSIServer->setEnabled(!bHardened && !bDropAdmin);
     m_pShareAccess->setEnabled(!bHardened);