1.14.0

sandboxie-plus · May 12, 2024 · 4cca2a4 · 4cca2a4
1 parent 7bf2c03
commit 4cca2a4
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/Sandboxie/core/drv/process_force.c b/Sandboxie/core/drv/process_force.c
@@ -161,6 +161,7 @@ _FX BOX *Process_GetForcedStartBox(
     ULONG alert;
     BOOLEAN check_force;
     BOOLEAN is_start_exe;
+    BOOLEAN image_sbie;
     BOOLEAN force_alert;
     BOOLEAN dfp_already_added;
     BOOLEAN same_image_name;
@@ -248,7 +249,7 @@ _FX BOX *Process_GetForcedStartBox(
         // when the process is start.exe we ignore the CurDir and DocArg
         //
 
-        Process_IsSbieImage(ImagePath, NULL, &is_start_exe);
+        Process_IsSbieImage(ImagePath, &image_sbie, &is_start_exe);
 
         if ((! box) && CurDir && !is_start_exe)
             box = Process_CheckBoxPath(&boxes, CurDir);
@@ -284,7 +285,15 @@ _FX BOX *Process_GetForcedStartBox(
                 Process_DfpInsert(PROCESS_TERMINATED, ProcessId);
         }
 
-        if (!box) {
+        //
+        // Check if the parent process has its children forced to be sandboxes
+        // exempt sandboxie components from this as start.exe can be used to 
+        // open selected processes in other boxes or set Dfp when desired.
+        // 
+        // we also must Excempt conhost.exe for console applications
+        //
+
+        if (!box && !image_sbie && _wcsicmp(ImageName, L"conhost.exe") != 0) {
 
             WCHAR boxname[BOXNAME_COUNT];
 

diff --git a/Sandboxie/core/svc/sbieiniserver.cpp b/Sandboxie/core/svc/sbieiniserver.cpp
@@ -2409,6 +2409,18 @@ MSG_HEADER *SbieIniServer::RunSbieCtrl(MSG_HEADER *msg, HANDLE idProcess, bool i
 
 MSG_HEADER *SbieIniServer::RC4Crypt(MSG_HEADER *msg, HANDLE idProcess, bool isSandboxed)
 {
+    //
+    // The purpose of this function is to provide a simple machien bound obfuscation
+    // for example to store passwords which are required in plain text.
+    // To this end we use a Random 64 bit key which is generated once and stored in the registry
+    // as well as the rc4 algorythm for the encryption, applying the same transformation twice 
+    // yealds the original plaintext, hence only one function is sufficient.
+    // 
+    // Please note that neider the mechanism nor the use rc4 algorythm can be considdered 
+    // cryptographically secure by any means.
+    // This mechanism is only good for simple obfuscation of non critical data.
+    //
+
     SBIE_INI_RC4_CRYPT_REQ *req = (SBIE_INI_RC4_CRYPT_REQ *)msg;
     if (req->h.length < sizeof(SBIE_INI_RC4_CRYPT_REQ))
         return SHORT_REPLY(STATUS_INVALID_PARAMETER);