Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tracing (FileTrace, DebugTrace) doesn't work #886

Closed
RationalFragile opened this issue Jun 10, 2021 · 10 comments
Closed

Tracing (FileTrace, DebugTrace) doesn't work #886

RationalFragile opened this issue Jun 10, 2021 · 10 comments
Labels
added in next build Added in the next Sandboxie version documentation Improvements or additions to documentation

Comments

@RationalFragile
Copy link

Describe the bug
Sysinternals' DebugView doesn't show file access (nor key, ipc...).
The resource monitor(?) "Trace Log" panel works if you enable "Trace Logging" (Sandboxie-Plus) but it works on all Sandboxes and ignores the options like FileTrace=*. (Also, it buffer overflows very fast if you have many Sandboxes running...)

To Reproduce

  1. Create new Sandbox "TraceTest"
  2. Use the provided config (or check all options in Sandbox Options > Advanced Options > Tracing except API Call Trace
  3. Reload ini and open dbgview64.exe
  4. Open cmd Sandboxed and write to a file echo test > C:\test.txt and check it was written more C:\test.txt
  5. No debug messages regarding files will be found. (Please check the screenshots.)

Expected behavior
Expected to see the same messages that appear in the "Trace Log" panel when it is activated but the messages should only be for the selected Sandbox and options (unlike Trace Log which ignores options and sandboxes).

Screenshots
The debug messages that show up:
TraceTest

The dbgview64.exe options:
dbgview options

If you instead enable Trace Logging it shows the messages (but never in dbgview64.exe):
Trace Logging

System details and installed software (please provide the following information):

  • Windows 10 Pro 20H2 (Ameliorated)
  • Sandboxie Plus 0.7.5
  • I didn't test in other Sandboxie versions.
  • No security software installed (Windows security is "removed" in the "amelioration" process) and Malwarebytes firewall control is installed.

Additional context
I understand that the log can be acquired from the Trace Logging panel as I said, but unless I'm missing something obvious, the Trace Logging cannot be used for just one Sandbox which limits its usefulness for my case since I'd have to terminate all other sandboxes to be able to debug a new one.

Sandboxie configuration

Sandboxie.ini settings 

[GlobalSettings]

FileRootPath=D:\Sandboxes\%SANDBOX%
SeparateUserFolders=n
KeyRootPath=\REGISTRY\USER\Sandbox_%SANDBOX%
IpcRootPath=\Sandbox\%SANDBOX%
EditAdminOnly=y
ForceDisableAdminOnly=y
ForgetPassword=y
Template=SynapticsTouchPad
Template=7zipShellEx
Template=RpcPortBindings
ForceDisableSeconds=60
TemplateReject=WindowsRasMan
TemplateReject=WindowsLive
TemplateReject=OfficeLicensing

[UserSettings_175D0429]

SbieCtrl_AutoStartAgent=SandMan.exe
SbieCtrl_EnableAutoStart=y

[TraceTest]

Enabled=y
AutoRecover=n
BlockNetworkFiles=y
BorderColor=#ff00ff,ttl,2
Template=AutoRecoverIgnore
ConfigLevel=9
BoxNameTitle=y
CopyLimitKb=-1
FileTrace=*
CallTrace=*
PipeTrace=*
KeyTrace=*
IpcTrace=*
GuiTrace=*
ClsidTrace=*
DebugTrace=y
ErrorTrace=y

Thank you so much for taking the time to read my bug report!
@DavidXanatos
Copy link
Member

The trace options no longer log to the kernel debug output but instead to the resource access log of sandboxie,
so its not expected to see anything in DbgView.
You can set the trace options on a per box basis such that only the boxes you need will generate trace logs.

You can adjust the buffer size in the sandboxie.ini adding TraceBufferPages=2560 will 10 fold increase the buffer size

@DavidXanatos DavidXanatos added the documentation Improvements or additions to documentation label Jun 10, 2021
@RationalFragile
Copy link
Author

Thank you.
Can you please indicate how to configure the trace to only show one box?

Also, there is the issue with the Trace Logger panel that you can't scroll or select entries once you stop the logging. So if a program generates thousands of entries and you've found the one you want already, it becomes difficult to stop new entries without killing that process. Maybe it would be possible to add an export button that saves the entries to a file when the panel is disabled? In that case you would enable logging, do the action you want with that process, disable logging and export to investigate using a text editor.

Again, thank you for your time.

@DavidXanatos
Copy link
Member

You add the TraceSomething=* directive only to one box ini section instead of adding it globally

I'll keep the panel always enabled even when the logging is stopped thats an easy fix

@RationalFragile
Copy link
Author

I'm sorry but no, the logging panel currently collects all boxes and all types of logging whether you add the TraceFile=* in one box or don't add it at all.
In other words, the logging panel always shows all logs (File, Key, IPC...) for all boxes, ignoring any settings in Sandboxie.ini.
(I never tested with [GlobalSettings], please check the Sandboxie.ini summary I attached at the top.)

@DavidXanatos
Copy link
Member

I think i know what your issue is,
this log contains the sandboxie resource access log as well as the trace log,
so with no TraceSomething=* for every box it will contain some logs, but in boxes with for example TraceFile=* it will contain much more log entries.

So what you want is an option to eider disable any logging for other boxes or to show only entries belonging to the currently sellected box?

@RationalFragile
Copy link
Author

Yes, a way to filter the resource monitor logs by box and type of resource.
What makes the resource monitor panel even harder to use is that if you click on "Clear Trace Logs", it resets the selected PID. Because otherwise, my temporary solution would be to filter by process instead of by box.
And also, if it's possible to add an export logs button to the Trace Logging panel, it would allow to save the logs to a file and then the user can filter them by some external text editor.

@DavidXanatos DavidXanatos added the Feature request New feature or idea label Jun 11, 2021
@DavidXanatos
Copy link
Member

the next build will have an sbie option DisableMonitor=y that enables you to disable logging of resource access messages to the trace log
you can add the option to the global section
and then re enable for individual boxes using DisableMonitor=n
or you just disable it for individual boxes

not sure about adding the box filter as I'm worried that resolving pid -> box for each and every of hundreds of zillions of log entries may be bad for the performance

@DavidXanatos
Copy link
Member

DavidXanatos commented Jun 11, 2021
edited

PS i think I'l rename the option to DisableResourceMonitor=y just FYI
in the changelog of the next build the definet name of teh option will be noted

@DavidXanatos
Copy link
Member

ok it does not seam to be to performance degrading the next build wil have a check box to show trace entries only for the currently sellected box

@DavidXanatos DavidXanatos added added in next build Added in the next Sandboxie version and removed Feature request New feature or idea labels Jun 11, 2021
@RationalFragile
Copy link
Author

That would solve my issue. Thank you so much. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
added in next build Added in the next Sandboxie version documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DavidXanatos @RationalFragile