Run untrusted processes in a sandbox, blocking access to the system.

This software is still very incomplete and probably not useful yet.

A supervisor process is spawned.

A temporary app container with no privileges is created. Processes running in the container have no access to system resources such as device resources (camera, microphone, GPS, etc.), files, the system registry, networking, or other processes running in the system.

The untrusted process is spawned inside this container. Normally it would not be able to access any resource. To solve this problem, before its code has a chance to be executed, a set of hooks is injected and all calls to the operating system's kernel are replaced with calls to the supervisor.

At this point the untrusted process is running inside the container, and can not access any of the system resources. The only connection to the system is through the supervisor. If this process tries to bypass the hooks, it will be blocked by the operating system's kernel.

The supervisor now has complete control over the resources requested from the untrusted process. Each individual request can be monitored and granted or denied.

The supervisor process "SandboxLauncher.exe" manages the processes running in the sandbox. It is written in C# .NET.

"sandbox32.dll" and "sandbox64.dll" DLLs containing the C++ code used from the supervisor.

Hooks reside in the "sandbox-hooks32.dll" and "sandbox-hooks64.dll" DLLs, injected through Detours.

These hooks intercept blocked calls to the operating system's kernel and redirect them to the supervisor.

This is the shared code, namely utilities to maintain a connection between the supervisor and the hooks injected in the untrusted process running in the container.

Test implementation of the untrusted process, used to esure that every operation is properly intercepted and redirected to the supervisor.

Check the license for details.