SBIE DLL API

SBIE DLL API

This page describes the callable entrypoints in the SbieDll.dll dynamically-linked library (DLL). These entrypoints expose some functionality of Sandboxie that can be accessed programmatically, that is, through other programs rather than through a person interacting with Sandboxie.

There are three aspects to using Sandboxie programmatically:

  • Driving some functionality using the Start.exe program. See Start Command Line.
  • Injecting custom DLLs into sandboxed programs. See InjectDll.
  • Calling Sandboxie entrypoints from programs running (sandboxed or not). Described here.

The entrypoints described here are all exported by SbieDll.dll. To access an entrypoint, you should dynamically load this DLL into your program, and get the address of the desired entrypoint. For example,

        __declspec(dllexport) void __stdcall InjectDllMain(HINSTANCE hSbieDll, ULONG_PTR UnusedParameter)
    {
        //
            // locate the address of SbieDll_Hook in SbieDll.dll
            //  

            typedef void *(__stdcall *P_SbieDll_Hook)(
                    const char *ApiName, void *ApiFunc, void *NewFunc); 

            P_SbieDll_Hook p_SbieDll_Hook = GetProcAddress(hSbieDll, "SbieDll_Hook"); 

        //
            // invoke SbieDll_Hook through the function pointer
            //  

            p_SbieDll_Hook(...);
    }   

Note the use of InjectDllMain (see Inject Dll) to get a handle to the loaded instance of SbieDll. That is the recommended approach. However, using LoadLibrary or GetModuleHandle to look up SbieDll by name is also fine.


Enumerate Sandbox Names

  • Prototype:

        typedef LONG (__stdcall *P_SbieApi_EnumBoxes)(
                LONG index,                 // initialize to -1
                WCHAR *box_name);           // pointer to WCHAR [34]
  • Export Name:

        SbieApi_EnumBoxes
  • Parameters:

        index [in] specifies which sandbox to return.  Initialize to -1.
        Sandboxes are enumerated in the order they appear in Sandboxie.ini.
    
        box_name [out] receives the sandbox name.
    
        Note:  this function cannot be used by a sandboxed program.
  • Return Value:

        Returns the next value to use for the index parameter.
        Returns -1 when there is nothing left to enumerate.
  • Sample Code:

        WCHAR name[34];
        int index = -1;
        while (1) {
                index = SbieApi_EnumBoxes(index, name);
                if (index == -1)
                    break;
                SandboxNames_StringArray.add(name);
        }

Query Sandbox Paths by Sandbox Name

  • Prototype:

        typedef LONG (__stdcall *P_SbieApi_QueryBoxPath)(
                const WCHAR *box_name,      // pointer to WCHAR [34]
                WCHAR *file_path,
                WCHAR *key_path,
                WCHAR *ipc_path,
                ULONG *file_path_len,
                ULONG *key_path_len,
                ULONG *ipc_path_len);
  • Export Name:

        SbieApi_QueryBoxPath
  • Parameters:

        box_name [in] specifies the name of the sandbox for which
        to return path information.
    
        file_path [out] receives the path to the root directory of
        the sandbox, as set by the FileRootPath setting.
        The buffer receives at most the number of bytes specified
        by the file_path_len parameter.  Pass NULL to ignore this
        parameter.
    
        key_path [out] receives the path to the root key of the
        sandbox registry, as set by the KeyRootPath setting.
        The buffer receives at most the number of bytes specified
        by the key_path_len parameter.  Pass NULL to ignore this
        parameter.
    
        ipc_path [out] receives the path to the root object directory
        of the sandbox, as set by the IpcRootPath setting.
        The buffer receives at most the number of bytes specified
        by the ipc_path_len parameter.  Pass NULL to ignore this
        parameter.
    
        file_path_len [in/out] specifies the length in bytes of the
        file_path buffer.  On return, receives the length in bytes
        needed to receive a complete buffer.
    
        key_path_len [in/out] specifies the length in bytes of the
        key_path buffer.  On return, receives the length in bytes
        needed to receive a complete buffer.
    
        ipc_path_len [in/out] specifies the length in bytes of the
        ipc_path buffer.  On return, receives the length in bytes
        needed to receive a complete buffer.
  • Return Value:

        Returns zero on success, a non-zero value on error.
  • Sample Code:

        ULONG FileLen = 0;
        ULONG KeyLen  = 0;
        ULONG IpcLen  = 0;
    
        SbieApi_QueryBoxPath(
                NULL, NULL, NULL, NULL, &FileLen, &KeyLen, &IpcLen);
    
        // note that lengths are returned as the number of bytes,
        // rather than number of WCHAR characters
    
        WCHAR *FileBuf = malloc(FileLen);
        WCHAR *KeyBuf = malloc(KeyLen);
        WCHAR *IpcBuf = malloc(IpcLen);
    
        SbieApi_QueryBoxPath(
                FileBuf, KeyBuf, IpcBuf, &FileLen, &KeyLen, &IpcLen);
    
        // now use wcslen to count the number of characters
    
        FileLen = wcslen(FileBuf);
        KeyLen  = wcslen(KeyBuf);
        IpcLen  = wcslen(IpcBuf);
    • *

Query Sandbox Paths by Process ID

  • Prototype:

        typedef LONG (__stdcall *P_SbieApi_QueryProcessPath)(
                HANDLE process_id,
                WCHAR *file_path,
                WCHAR *key_path,
                WCHAR *ipc_path,
                ULONG *file_path_len,
                ULONG *key_path_len,
                ULONG *ipc_path_len);
  • Export Name:

        SbieApi_QueryProcessPath
  • Parameters:

        process_id [in] specifies the ID of the sandboxed process to query.
    
        file_path [out]
    
        key_path [out]
    
        ipc_path [out]
    
        file_path_len [in/out]
    
        key_path_len [in/out]
    
        ipc_path_len [in/out]
    
        The last six parameters are similar to the last six parameters for
        the QueryBoxPath function, discussed above.  However, QueryProcessPath
        (this function) returns the sandbox paths that are in use by a running
        program, whereas QueryBoxPath returns the paths as they are recorded
        in the Sandboxie configuration.
    
        Or put another way:  Suppose a sandboxed program starts with PID 124,
        and then some sandbox path (for instance FileRootPath) is set to a
        new value.  At this point, QueryBoxPath will return the new value, but
        QueryProcessPath for PID 124 will return the old value.
  • Return Value:

        Returns zero on success, a non-zero value on error.
    • *

Enumerate Running Processes

  • Prototype:

        typedef LONG (__stdcall *P_SbieApi_EnumProcessEx)(
                const WCHAR *box_name,      // pointer to WCHAR [34]
                BOOLEAN all_sessions,
                ULONG which_session,
                ULONG *boxed_pids);         // pointer to ULONG [512]
  • Export Name:

        SbieApi_EnumProcessEx
  • Parameters:

        box_name [in] specifies the name of the sandbox in which
        processes will be enumerated.
    
        all_sessions [in] specifies TRUE to enumerate processes in all
        logon sessions or only in a particular logon session
    
        which_session [in] specifies the logon session number in which
        processes will be enumerated.  Ignored if all_sessions if TRUE.
        Pass the value -1 to specify the current logon session.
    
        boxed_pids [out] receives the process ID (PID) numbers.
        The first ULONG receives the number of processes enumerated.
        The second ULONG receives the first PID, the third ULONG receives
        the second PID, and so on.
  • Return Value:

       Returns zero on success, a non-zero value on error.
    • *

Query Process Information

  • Prototype:

        typedef LONG (__stdcall *P_SbieApi_QueryProcess)(
                HANDLE process_id,
                WCHAR *box_name,            // pointer to WCHAR [34]
                WCHAR *image_name,          // pointer to WCHAR [96]
                WCHAR *sid_string,          // pointer to WCHAR [96]
                ULONG *session_id);
  • Export Name:

        SbieApi_QueryProcess
  • Parameters:

        process_id [in] specifies the ID of the sandboxed process to query.
    
        box_name [out] receives the name of the sandbox in which the
        process is running.  Pass NULL to ignore this parameter.
    
        image_name [out] receives the process name.  Pass NULL to ignore
        this parameter.
    
        sid_string [out] receives the SID string for the process.
        Pass NULL to ignore this parameter.
    
        session_id [out] receives the logon session number in which
        the process is running.  Pass NULL to ignore this parameter.
  • Return Value:

        Returns zero on success, a non-zero value on error.
    • *

Terminate a Single Sandboxed Process

  • Prototype:

        typedef BOOLEAN (__stdcall *P_SbieDll_KillOne)(
                HANDLE process_id);
  • Export Name:

        SbieDll_KillOne
  • Parameters:

        process_id [in] specifies the process ID for the sandboxed
        process that should be terminated.
  • Return Value:

        Returns TRUE on success, FALSE on failure.
    
        The target process is terminated by the Sandboxie service
        (SbieSvc) with exit code 1 through a call to the Windows API
        TerminateProcess (ProcessId, 1).
    • *

Terminate All Sandboxed Processes

  • Prototype:

        typedef BOOLEAN (__stdcall *P_SbieDll_KillAll)(
                ULONG session_id,
                const WCHAR *box_name);
  • Export Name:

        SbieDll_KillAll
  • Parameters:

        session_id [in] specifies the logon session number in which
        sandboxed programs should be terminated.
    
        box_name [in] specifies the sandbox name in which sandboxed
        programs should be terminated.  Specify -1 to indicate the
        current logon session.
  • Return Value:

        Returns TRUE on success, FALSE on failure.
    
        The target processes are terminated in the fashion described
        above; see SbieDll_KillOne.
    • *

Query Configuration from Sandboxie.ini

  • Prototype:

        typedef LONG (__stdcall *P_SbieApi_QueryConf)(
                const WCHAR *section_name,  // pointer to WCHAR [34]
                const WCHAR *setting_name,  // pointer to WCHAR [66]
                ULONG setting_index,
                WCHAR *value,
                ULONG value_len)
  • Export Name:

        SbieApi_QueryConf
  • Parameters:

        section_name [in] specifies the section name that contains
        the setting to query.
    
        setting_name [in] specifies the setting name to query.
    
        setting_index [in] specifies the zero-based index number
        for a setting that may appear multiple times.  The index
        number can be logically OR'ed with these special values:
    
            0x40000000 - do not scan the [GlobalSettings] section
            if the specified setting name does appear in the
            specified section.
    
            0x20000000 - do not expand any variables in the result.
    
            0x10000000 - ignore any settings that originate from
            a template (typically defined in the Templates.ini file).
            only query those settings that appear explicitly in the
            Sandboxie.ini file.
    
        value [out] receives the value of the specified setting.
    
        value_len [in] specifies the maximum length in bytes of
        the buffer pointed to by the value parameter.
  • Return Value:

        Returns zero on success.  Returns 0xC000008B if the setting
        was not found.  Any other return value indicates some other error.
    • *

Update Configuration in Sandboxie.ini

  • Prototype:

        typedef LONG (__stdcall *P_SbieDll_UpdateConf)(
            WCHAR operation_code,
            const WCHAR *password,      // limited to 64 chars
                const WCHAR *section_name,  // limited to 32 chars
                const WCHAR *setting_name,  // limited to 64 chars
                const WCHAR *value)         // limited to 2000 chars
  • Export Name:

        SbieDll_UpdateConf
  • Parameters:

        operation_code [in] specifies how to update the request setting:
        's' to set (overwrite), replacing any existing values
        'a' to append the new value at the bottom of a list of values
            (or simply set the new value if there isn't one already)
        'i' to insert the new value at the top of a list of values
            (or simply set the new value if there isn't one already)
        'd' to delete an existing value in a list of values
    
        password [in] specifies the password to use if one is required,
        or NULL or an empty string otherwise.
    
        section_name [in] is a required parameter which specifies the
        section name that contains the setting to set.
    
        setting_name [in] is a required parameter which specifies the
        setting name to set.
    
        value [ini] is an optional parameter specifies the new value.
    
        If operation_code is 's' and value is omitted, the corresponding
        setting in the specified section will be deleted.   
    
        If operation_code is 's' and setting_name is "*" (wildcard star)
        and value is omitted, this function deletes a complete section
        from the configuration file.
  • Return Value:

        Returns zero on success.
    • *

Reload Configuration from Sandboxie.ini

  • Prototype:

        typedef LONG (__stdcall *P_SbieApi_ReloadConf)(
                ULONG session_id);
  • Export Name:

        SbieApi_ReloadConf
  • Parameters:

        session_id [in] specifies the logon session number to which
        Sandboxie will log any error messages.  Pass -1 for the current
        logon session.
  • Return Value:

        Returns zero on success, a non-zero value on error.
    • *

Hook a User-Mode Entrypoint

  • Prototype:

        typedef void *(__stdcall *P_SbieDll_Hook)(
                const char *name,
                void *source_func,
                void *detour_func);
  • Export Name:

        SbieDll_Hook
  • Parameters:

        name [in] specifies an ASCII-string naming the entrypoint to
        be hooked.  In case of error, SbieDll_Hook logs a Sandboxie
        error message which includes this descriptive name.
    
        source_func [in] pointer to the function to hook.
    
        detour_func [in] pointer to the hook code.
    
        This function will cause the source function to invoke the detour
        function.  In other words, the detour function will intercept all
        calls to the source function.
  • Return Value:

        Returns a function pointer which can be used by the detour
        function to invoke the source function.
  • Sample Code:

       typedef BOOL (__stdcall *P_DeleteFileW)(const WCHAR *Path);
    
       P_DeleteFileW pDeleteFileW = NULL;
    
       BOOL __stdcall MyDeleteFileW(const WCHAR *Path)
        {
            if (Path[0] == L'C') {
    
                // silently ignore requests to delete any file on drive C
    
                SetLastError(0);
                return TRUE;
    
            } else {
    
                // otherwise invoke the original DeleteFileW function
    
                return pDeleteFileW(Path);
            }
        }
    
        main()
        {
            pDeleteFileW = GetProcAddress(kernel32dll, "DeleteFileW");
            pDeleteFileW = SbieDll_Hook("DeleteFile",
                                        pDeleteFileW,
                                        MyDeleteFileW);
        }
    • *

Register for DLL Load/Unload Callbacks

  • Prototype:
       typedef void (__stdcall *P_DllCallback)(const WCHAR *ImageName, HMODULE ImageBase);
       typedef BOOLEAN *(__stdcall *P_SbieDll_RegisterDllCallback)(
               P_DllCallback pCallback);
  • Export Name:

       SbieDll_RegisterDllCallback
    
       This API is available starting with version 3.46 of Sandboxie.
  • Parameters:

       pCallback specifies a callback function to be invoked whenever
       any DLL is loaded or unloaded in the process.  The callback
       function cannot be unregistered.
       The ImageName (first) parameter to the callback function
       specifies the UNICODE name string for the DLL that was loaded
       or unloaded.  The name string does not include a path.
       The ImageBase (second) parameter to the callback function
       specifies the load base address for the DLL, when the callback
       function is invoked to notify of a DLL load.  When the callback
       function is invoked to notify of a DLL unload, this parameter
       is set to zero.
  • Return Value:

       Returns TRUE on success, FALSE if the callback cannot be registered.
       As of version 3.46, Sandboxie supports up to 8 registrations within
       a single process.
    • *

Get Sandboxie Home Folder

  • Prototype:

       typedef LONG *(__stdcall *P_SbieApi_GetHomePath)(
               WCHAR *NtPath,
               ULONG NtPathMaxLen,
               WCHAR *DosPath,
               ULONG DosPathMaxLen);
  • Export Name:

       SbieApi_GetHomePath
    
       This API is available starting with version 3.52 of Sandboxie.
  • Parameters:

       NtPath specifies a pointer to a buffer which will receive the
       full path of the Sandboxie installation folder in NT-path syntax.
    
       NtPathMaxLen specifies the size of the NtPath buffer.  Specify
       NULL for NtPath and zero for NtPathMaxLen to not receive the
       NT path.
    
       DosPath specifies a pointer to a buffer which will receive the
       full path of the Sandboxie installation folder in DOS-path syntax.
    
       DosPathMaxLen specifies the size of the DosPath buffer.  Specify
       NULL for DosPath and zero for DosPathMaxLen to not receive the
       NT path.
  • Return Value:

       Returns zero on success, a non-zero value on error.
    
       STATUS_BUFFER_TOO_SMALL (0xC0000023) indicates either NtPathMaxLen
       or DosPathMaxLen specifies a buffer that is too small.  Increase
       the size of the input buffer and retry the call.