4

I am having issues with a particular game, detecting the presence of the games being run inside sandboxie (An application for running programs inside a sandbox) with the goal of running multiple instances of the game on the same computer.

The game employs techniques to detect the presence of sandboxie, and I've found information regarding this issue online to be scarce, however it seems to be down to the detection of the presence of "SbieDll.dll" in the module list of the games process. I thought about this logically and assume they are using something like the PEB_LDR_DATA structure to iterate through each of the modules and flag if the string matches "SbieDll.dll".

So there's a couple of issues with what I need to do, sandboxie is a closed source program, so I can't simply edit the name of the DLL.

So I have two questions in regard to this the first being:

What should I be doing to prevent the application from breaking when I hex edit the new name in? Should I be searching for something else beside SbieDll.dll to replace?

The second being, what other techniques may the game be employing to detect the presence of sandboxie? And if so are there any other ways I can hide that the game is in fact run by sandboxie?

I've tried to rename all instances of SbieDll.dll in all sandboxie replaced executable's and modules with a hex editor (HXD) to a filename of the same name length (Eg 1234567.dll) and also edited the PE headers using PE explorer to remove all traces of "sandboxie" from the application, however this seems to break sandboxie itself throwing the exception:

"Initialization of the dynamic link library C:\Program Files\Sandboxie\SbieDll.dll failed. The process is terminating abnormally"

I expect the game to be able to run in sandboxie with no issues.

Michael Haephrati
  • 172
  • 11
user11912337
  • 41
  • 2

1 Answers1

1

What should I be doing to prevent the application from breaking when I hex edit the new name in? Should I be searching for something else beside SbieDll.dll to replace?

In the 80s, it was possible to open a program binary with a hex editor and change strings (on computers such as Atari ST, Amiga, etc.) and even then the size of the string had to remain the same... In today's operating systems, it is possible to change some strings in an .exe, but that will tamper the exe’s Code Signing Certificate (if there is one) and provided you overcome counter measures taken (such as obfuscating these strings) weren't taken.

The second being, what other techniques may the game be employing to detect the presence of sandboxie? And if so are there any other ways I can hide that the game is in fact run by sandboxie?

Other techniques commonly used are:

  1. Anti debugging There are many ways to detect a debugger running and the simples one is calling the IsDebuggerPresent function. This function detects if the calling process is being debugged by a user-mode debugger.

  2. Anti breakpoints It's very hard to reverse engineer software without breakpoints. Popular anti-reverse engineering tactics are based on detecting breakpoints, providing a series of corresponding anti-debugging methods.

  3. Bypassing NtQueryInformationProcess checks Probably the method used to detect Sandboxie. To bypass it, The values returned by the NtQueryInformationProcess function should be changed to values that don't indicate the presence of a debugger.

  4. Obfuscation in your case, making it hard to find the string “SbieDll.dll".

In fact, you can learn more by reading what the other side if this endless battle has to offer, for example PELock. They have dedicated functionality to prevent game hacking.

To sum up, the only way is to some how overcome these protection methods, reverse engineer the entire software, disassemble it, then make the changes at the source code level, and rebuild it.

Michael Haephrati
  • 172
  • 11