So, out of curiosity I have started to look and try to learn how the CIS Sandbox actually provides virtualisation.
I don’t know much about Reverse Engineering or Process Analysis but would like to learn a little bit more.
What it doesn’t appear to do.
- No additional windows security flags are placed on the contained process when creating it
What it does do
- Manually containing a file via context menu:
→ Starts cmdvirth.exe
→ virtkiosk.exe starts
→ virtkiosk.exe starts ContainedApp.exe as a child process
→ virtkiosk.exe terminates
I would have assumed that in order to provide the restrictions for ContainedApp.exe, virtkiosk.exe would have created a pipe between itself and ContainedApp.exe then redirected I/O accordingly.
However, to my surprise, virtkiosk.exe terminates once ContainedApp.exe is running visualised.
Therefore I am confused as to what is forcing the redirected I/O of ContainedApp.exe.
Could it be that virtkiosk.exe simply sets Security Descriptors as per CIS settings upon launching of ContainedApp.exe that I am not seeing, then terminates as no further restrictions are needed? I would therefore assume CIS Auto-Containment settings do not take effect when changed on already contained applications until that application is terminated and re-contained.
I am currently also confused as to what the purpose of cmdvirth.exe is in all of this.
Could someone point me in the right direction where I can look to further understand what is happening?
I would prefer someone not give me the answer so I can try and figure it out myself.