BSOD "SYSTEM_SERVICE_EXCEPTION (3b)" when opening a DLL from AlertFolder using x64dbg

[offhub]

Describe what you noticed and did

I couldn't reproduce the error on a virtual machine, but here are the steps that lead to the issue:

1. Set AlertFolder=*\Users*\Downloads
2. Set StartRunAlertDenied=y
3. Set DenyHostAccess=*,n (global)
4. Enable Cloud-delivered protection in Windows Security
5. Copy some DLL to the Downloads folder
6. Run x64dbg outside the sandbox and open the DLL
7. BSOD (3b) occurres

Sandboxie/Sandboxie/core/drv/process_util.c

Line 166 in f622455

if (pat_len) {

Bugcheck Analysis

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff8016c81b589, Address of the instruction which caused the BugCheck
Arg3: ffff930310d764c0, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2328

    Key  : Analysis.Elapsed.mSec
    Value: 2393

    Key  : Analysis.IO.Other.Mb
    Value: 6

    Key  : Analysis.IO.Read.Mb
    Value: 1

    Key  : Analysis.IO.Write.Mb
    Value: 10

    Key  : Analysis.Init.CPU.mSec
    Value: 1250

    Key  : Analysis.Init.Elapsed.mSec
    Value: 38270

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 101

    Key  : Analysis.Version.DbgEng
    Value: 10.0.27725.1000

    Key  : Analysis.Version.Description
    Value: 10.2408.27.01 amd64fre

    Key  : Analysis.Version.Ext
    Value: 1.2408.27.1

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0x3b

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x3b

    Key  : Bugcheck.Code.TargetModel
    Value: 0x3b

    Key  : Failure.Bucket
    Value: AV_SbieDrv!Process_MatchImage

    Key  : Failure.Hash
    Value: {5cfd32b4-9c9a-f699-7072-d218d57a74be}

    Key  : Hypervisor.Enlightenments.Value
    Value: 68669340

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 417cf9c

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 1

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 0

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 1

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 1

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 1

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 4853999

    Key  : Hypervisor.Flags.ValueHex
    Value: 4a10ef

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 1

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 1

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 1

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 1

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 1

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.Value
    Value: 1015

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 3f7

    Key  : SecureKernel.HalpHvciEnabled
    Value: 1

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1


BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8016c81b589

BUGCHECK_P3: ffff930310d764c0

BUGCHECK_P4: 0

FILE_IN_CAB:  MEMORY.DMP

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


FAULTING_THREAD:  ffff8304d613b080

CONTEXT:  ffff930310d764c0 -- (.cxr 0xffff930310d764c0)
rax=ffff930310d76f08 rbx=0000000000000001 rcx=0000000000000000
rdx=ffffb3002f0031a0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8016c81b589 rsp=ffff930310d76ec0 rbp=ffffb3002f0031a2
 r8=0000000000000001  r9=ffffb300318d73e0 r10=0000000000000001
r11=ffff930310d76f10 r12=0000000000000000 r13=0000000000000000
r14=000000000000002a r15=ffffb300318d73e0
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050246
SbieDrv!Process_MatchImage+0x25:
fffff801`6c81b589 488b4958        mov     rcx,qword ptr [rcx+58h] ds:002b:00000000`00000058=????????????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  MsMpEng.exe

STACK_TEXT:  
ffff9303`10d76ec0 fffff801`6c81b77f     : 00000000`00000001 ffffb300`2f0031a2 ffffb300`2f0031a0 ffff9303`10d76fb0 : SbieDrv!Process_MatchImage+0x25 [D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\process_util.c @ 166] 
ffff9303`10d76f10 fffff801`6c81ad89     : 00000000`00000000 00000000`00000000 00000000`ffffffff 00000000`ffffffff : SbieDrv!Process_MatchImageAndGetValue+0x77 [D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\process_util.c @ 346] 
ffff9303`10d76f70 fffff801`6c81ae01     : fffff801`ffffffff fffff801`6c82d000 ffff9303`10d77000 00000000`00000000 : SbieDrv!Process_GetConfEx+0x45 [D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\process_util.c @ 392] 
ffff9303`10d76fb0 fffff801`6c81fd21     : ffff8304`d70a4000 ffff9303`10d77030 ffffb300`318d7050 00000000`00000000 : SbieDrv!Process_GetConfEx_bool+0x35 [D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\process_util.c @ 428] 
ffff9303`10d76fe0 fffff801`6c815e8c     : ffffb300`2650b700 ffff8304`d70a4080 ffffb300`2e52f340 ffffb300`2650b738 : SbieDrv!Thread_CheckObject_CommonEx+0x109 [D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\thread.c @ 1132] 
ffff9303`10d77070 fffff801`4fc0796c     : ffffb300`2e52f340 ffff8304`9c4b22d8 ffff9303`10d77168 00000000`00000000 : SbieDrv!Obj_PreOperationCallback+0x9c [D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\obj_flt.c @ 239] 
ffff9303`10d770b0 fffff801`4fc07ada     : 00000000`00000000 00000000`00000000 00000000`00001000 fffff1a4`69147a07 : nt!ObpCallPreOperationCallbacks+0x10c
ffff9303`10d77130 fffff801`4fc399f3     : ffff8304`9c4b2220 ffff9303`10d772c0 ffff9303`10d77740 ffff9303`10d77740 : nt!ObpPreInterceptHandleCreate+0xaa
ffff9303`10d771a0 fffff801`4fc0b619     : ffff9303`10d77740 ffff8304`d70a4080 00000000`00000000 00000000`00000000 : nt!ObpCreateHandle+0xce3
ffff9303`10d773b0 fffff801`4fc452ff     : 00000000`00000001 ffff9303`10d77a80 00000000`00000000 00000000`00000001 : nt!ObOpenObjectByPointer+0x1b9
ffff9303`10d77630 fffff801`4fce41f3     : ffff8304`d613b080 ffff8304`dac85270 000001f2`5bb72820 00007ffc`b0b0a110 : nt!PsOpenProcess+0x3af
ffff9303`10d779c0 fffff801`4fa12505     : ffff8304`d613b080 000000f0`00000000 00000000`00000000 ffff8304`dac84490 : nt!NtOpenProcess+0x23
ffff9303`10d77a00 00007ffc`efacd9b4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000f0`4eafd0e8 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`efacd9b4


FAULTING_SOURCE_LINE:  D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\process_util.c

FAULTING_SOURCE_FILE:  D:\a\Sandboxie\Sandboxie\Sandboxie\core\drv\process_util.c

FAULTING_SOURCE_LINE_NUMBER:  166

FAULTING_SOURCE_CODE:  
   162:     // if pat_len was specified, we should create the match pattern
   163:     // using only the first pat_len characters of pat_str
   164:     //
   165: 
>  166:     if (pat_len) {
   167: 
   168:         tmp_len = (pat_len + 1) * sizeof(WCHAR);
   169:         tmp = Mem_Alloc(box->expand_args->pool, tmp_len);
   170:         if (! tmp)
   171:             return FALSE;


SYMBOL_NAME:  SbieDrv!Process_MatchImage+25

MODULE_NAME: SbieDrv

IMAGE_NAME:  SbieDrv.sys

STACK_COMMAND:  .cxr 0xffff930310d764c0 ; kb

BUCKET_ID_FUNC_OFFSET:  25

FAILURE_BUCKET_ID:  AV_SbieDrv!Process_MatchImage

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {5cfd32b4-9c9a-f699-7072-d218d57a74be}

Followup:     MachineOwner
---------

How often did you encounter it so far?

After the first system crash, I did not try it on the host pc. The same crash did not occur in the tests I did on the virtual machine.

Expected behavior

No BSOD

Affected program

x64dbg

Download link

https://github.com/x64dbg/x64dbg/releases/download/snapshot/snapshot_2024-12-01_15-19.zip

Where is the program located?

The program is installed only outside the sandbox.

Did the program or any related process close unexpectedly?

Yes, it did, but I don't want to share the .dmp file(s) for privacy reasons.

Crash dump

No response

What version of Sandboxie are you running now?

Sandboxie-Plus 1.15.3 64-bit

Is it a new installation of Sandboxie?

I have been using the same version for some time.

Is it a regression from previous versions?

No response

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

Windows 10 Pro 22H2 64-bit (19045.5131)

In which Windows account you have this problem?

A Microsoft account (Administrator)., An account with UAC protection set to Always notify.

Please mention any installed security software

Microsoft Windows Defender

Did you previously enable some security policy settings outside Sandboxie?

No response

Trace log

No response

Sandboxie.ini configuration

[GlobalSettings]
FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
# BSOD settings
AlertFolder=*\Users\*\Downloads
DenyHostAccess=*,n
StartRunAlertDenied=y

[DavidXanatos]

Can you reproduce the issue on the real machine?

[offhub]

Yes, can reproduce on the real machine when both the 'StartAlertRunDenied' setting in Sandboxie and cloud protection are active in Microsoft Defender.

[DavidXanatos]

and when you disable eider StartRunAlertDenied or cloud protection it works fine?

[offhub]

Yes, the crash does not occur when either of them is disabled.

[DavidXanatos]

ok and if you comment out
AlertFolder=*\Users*\Downloads
Perhaps for whatever reason defender tried to spawn a process designated as protected and out drive kills it.
disabling only this inidirective would prove that.

[diversenok]

Well, the BSOD error code says it's an unhandled exception and not a termination of a critical process. On a side note, if it was a critical process, maybe Sandboxie driver should clear the critical flag from all sandboxed processes before terminating them, for extra safety.

[DavidXanatos]

@offhub if its a SYSTEM_SERVICE_EXCEPTION could you please provide the crash dump

[offhub]

@DavidXanatos I sent it on Slack yesterday.

[DavidXanatos]

got it found a potential cause could you test the new driver from the CI build please

[offhub]

System still crashing with the new driver.

[DavidXanatos]

ok thats strange, could you send me a new crash dump via slack pelase

[offhub]

When I remove all the DenyHostAccess settings under GlobalSettings, the crash does not occur. However, adding any DenyHostAccess entries under GlobalSettings causes a BSOD.

For example, setting DenyHostAccess=audiodg.exe,n under GlobalSettings results in a BSOD, whereas using Template=LessConfidentialBox under GlobalSettings does not cause a BSOD.

[offhub]

@DavidXanatos The reason I couldn't reproduce the crash in the virtual machine is that the Cloud Delivered Protection (SpyNet) setting was disabled by the policy. After removing the policy and enabling cloud protection, the crash can be reproduced with the settings from the first message.

[DavidXanatos]

@offhub ok cool, will try to reproduce it in my VM asap

[DavidXanatos]

@offhub the latest CI build fixes the issue

[offhub]

@DavidXanatos System still crashing with the CI #6806: Commit b733669

[DavidXanatos]

eeee... not anymore on my test VM, could you send me the newest crash dump

[DavidXanatos]

sorry try this one: https://github.com/sandboxie-plus/Sandboxie/actions/runs/12371732937
minor snafu in the last fix now it should be fixed correctly

[offhub]

I am downloading the file, I will let you know once I test it. (CI #6808: Commit 9bea526)

[offhub]

@DavidXanatos I tested the latest CI build (CI #6808: Commit 9bea526) on a virtual machine (Win 10/11) and there were no crashes. Thank you!