sandbox-attacksurface-analysis-tools a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it’s recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
– CheckExeManifest: Check for specific executable manifest flags
– CheckNetworkAccess: Check access to network stack
– NewProcessFromToken: Create a new process based on existing token
– TokenView: View and manipulate various process token values
– NtApiDotNet: A basic managed library to access NT system calls and objects.
– NtObjectManager: A powershell module which uses NtApiDotNet to expose the NT object manager
Note that the following tools are deprecated, they’ve been replaced with more flexible Powershell cmdlets.
You shouldn’t use them as they’ve not even guaranteed to work correctly.
+ CheckDeviceAccess : Check access to device objects
+ CheckFileAccess: Check access to files
+ CheckObjectManagerAccess: Check access to object manager objects
+ CheckProcessAccess: Check access to processes
+ CheckResistryAccess: Check access to registry
+ ObjectList: Dump object manager namespace information
+ DumpTypeInfo: Dump simple kernel object type information
+ DumpProcessMitigations: Dump basic process mitigation details on Windows8+
The tools can be built with Visual Studio 2015
Usage and Build:
git clone https://github.com/google/sandbox-attacksurface-analysis-tools && cd sandbox-attacksurface-analysis-tools
right click sandbox-attacksurface-analysis-tools.sln
Open with Visual Studio