[Victor43]

I have found out sandboxing involves hooking or can at the very least in order to intercept the call but how it is possible to implement whether or not to permit or deny the call ? Any thoughts or ideas anyone ? I've included a link to another forum where the discussion of hooking is at the forefront.

https://security.stackexchange.com/ques ... or-windows

[Vrtule]

The sanbox may take advantage of interfaces that allow you to make block/permit decisions on the fly. Such interfaces exist for filtering registry, file system, network and process/thread accesses.

However, there are also mechanisms that permits you to only block the access (Windows security model in general (DACLs, integrity levels, UIPI, ...), job objects...). Probably the best approach is to run the sandboxed code with the least privileges possible (or no privileges at all) and hook functions for which more privileges are required. When the coce uses the hooked routines, you may filter the calls yourself and allow it to perform certain actions (that cannot be performed with zero privileges). When it decides not to use the hooked routines, it actually attempts to bypass them, it cannot do anything interesting since it has no privileges.

[N3mes1s]

It's not exactly what you're looking for, but it could be a good start:

https://blog.trailofbits.com/2017/08/02 ... -so-i-did/

[Victor43]

Thanks to both replies.