Another bypass for the sandbox

Seeing as someone bypassed the sandbox, I decided to do some investigation as well. So here is my own exploit. Instructions:

It works on 32-bit Windows XP. It might work on Vista and 7, if UAC is disabled. Tested in VM, fresh install of CIS (“Proactive Security”) with everything at defaults (D+ at Safe Mode, Sandbox enabled, etc.)

  1. Run TestPh-ComodoExploit1.exe.
  2. Do not close the message box that pops up.
  3. Verify that TestPh-ComodoExploit1.exe is running as NT AUTHORITY\SYSTEM in Task Manager.
  4. Close the message box.

The reason this exploit works is because of our old friend, user-mode hooking. Apparently people still don’t get the message - user-mode hooking can always be passed.

I’m not going to put the code here this time because I may cause a certain moderator to get angry. :wink: PM me if you want the code.

[attachment deleted by admin]

verified here on a real machine , but of course without the sandbox , u get an alert

thanks :slight_smile:

so is there a way to protect against this? if not then why dont more malware writers use this method?

Not in general, user-mode hooking can always be bypassed. There are only two ways to protect against this particular method:

  1. Don’t use Windows XP (or don’t use an admin account), and don’t turn UAC off.
  2. D+ could hook functions inside services.exe. This would require knowledge of the internal workings of the SCM though, and compatibility would be a huge issue.

In general any program that runs at an elevated privilege level and exposes an API can be a vulnerability. Everyone involved needs to be security-conscious.

if not then why dont more malware writers use this method?

I don’t know, I’m not a “security researcher”.

hmm interesting so this isnt a problem in any other OS besides XP

No, this method works on all 32-bit and 64-bit systems. My test program only works on 32-bit systems and I’ve only tested it on XP (although it should work on Vista and 7). I say “don’t use Windows XP” because XP doesn’t have UAC.

ok i get what your saying. it would be nice if comodo could protect against this. i dont like using uac but if it comes down to it i might have to if malware starts using this method

This example fails when “treat unrecognized files as” is raised above the default; I wonder whether doing this actually increases protection against user-mode attacks or just happens to break your particular implementation…

Either way it’s one more reason for people to abandon XP and leave UAC enabled.

“Can’t Open SCM: Access is Denied”

(VMWare WinXP 32 Bit 512 MB / CIS)
Extract To Desktop, Ran The Application and Displayed Above Message

Showed Sandbox Message “AppName is unrecognized file… has been automatically sandboxed”


Or use a limited account.


When you set it to something higher than Partially Limited it also filters the token of the process, effectively disabling admin privileges. One “lesson” here is that the sandbox is not really that useful. Just leave UAC on.

See above. You need to be using Partially Limited mode and an admin account.

Partially Limited Mode is by defualt thus it is enabled/applied , Also i’m in the root account (Administrator)



Are you using any other security software? What OS are you using? Do you have UAC enabled, and if so, are you running the program elevated?

EDIT: Oops, didn’t read.

WinXP SP3 512 MB in a VMWare Virtual Machine,

Fresh Install of Windows and CIS

UAC isn’t avail. in XP

Logged in as Admin Account



Not sure if you want to investigate any further, but this is impossible unless there’s something I’m missing here. Can you please check the token of TestPh-ComodoExploit1.exe (the Security/Token tab in process properties) using Process Explorer/Hacker and give me a screenshot?

Will Do;

Allow me to download process explorer;

Give me a moment or two


Edit; Uploaded requested image

[attachment deleted by admin]

yes , don’t use sandbox , activate proactive security :slight_smile: :wink: , that will do it …

the generated alerts by CIS in proactive security mode :slight_smile:

allowing it will display this alert

which clearly states " thanks god " that the operation is highly suspicious and should be blocked

then, the result is …

Yes. The purpose of this test is to show that the sandbox, at least in Partially Limited mode, is not very secure. The rest of D+ is pretty good.

ya it seems like partially limited mode can be tightened up some