[Bug] Selecting "Quit" on the support reminder popup window actually does not lead to a proper process termination of SandMan.exe.

[gettysburg]

Describe what you noticed and did

After a period of time, SandMan.exe will prompt you to support the project by buying a certificate, based on safely stored variables such as install date and last reminder date.

When you click "Quit", SandMan.exe fails to shut down properly.

I decided to investigate the code for this popup, which is located in the function bool DoAboutDialog(bool bReminder) inside the file aboutdlg.cpp.

I could not find any errors in the code itself, however I only took a quick look.

I then used SystemInformer (latest version) to check out the unresponsive process:

This is the stack trace for the first thread in the list:

Since it was stuck on WaitForMultipleObjects, I used the "Analyze" and "Wait chain traversal" tool provided by SystemInformer:

This did not provide much more information, except that it was waiting on two completions.

So I decided to look at the stack trace for the SandMan.exe process itself:

Repeating the analyze option from above, I could yield the following information from the thread since it was stuck on a similar function, WaitForSingleObject:

With this information I looked at all handles, and found the one it was waiting on:

Upon clicking "Set" in the event tab, it seems like WaitForSingleObject was satisfied and now the actual graceful shutdown of the process began..

or so I thought!

I double checked by opening Event Viewer, and sure enough, it had an AppCrash event in it:

Faulting application name: SandMan.exe, version: 1.11.4.0, time stamp: 0x651ee60f
Faulting module name: ntdll.dll, version: 10.0.22621.1928, time stamp: 0x7dd9e350
Exception code: 0xc0000374
Fault offset: 0x000000000010c1f9
Faulting process id: 0x0x2628
Faulting application start time: 0x0x1DA1095B3454A4D
Faulting application path: C:\Program Files\Sandboxie-Plus\SandMan.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 8c557939-86c8-4a6a-8055-02c0ecf8683d

I (ab)used slui.exe to translate the exception code to a human readable one, and it appears that heap corruption occurred:

Now, I loaded ntdll.dll into IDA 8.3, which downloaded it's PDB and then I manually rebased the database to 0x1000.

This allowed jumping to the exception address directly, 0x000000000010c1f9, which just turned out to be the function RtlReportFatalFailure, which subsequently calls RtlRaiseException to actually raise an exception and log it to the event log.

I don't have much else to report here, and I am not familiar with your code base so I don't know what could be the cause.

Unfortunately I forgot to dump the process while I still had the chance before manually triggering the event through SystemInformer, so maybe try reproducing the issue on your end by forcing the window to show?

How often did you encounter it so far?

Every single time "Quit" is chosen as the option.

Affected program

Not relevant

Download link

Not relevant

Where is the program located?

Not relevant to my request.

Expected behavior

I expect the "Quit" button to initiate a graceful shutdown of the program.

What is your Windows edition and version?

Windows 11 Enterprise 22H2 (Build 22621.1992)

In which Windows account you have this problem?

A local account (Standard user).

Please mention any installed security software

None

What version of Sandboxie are you running?

Sandboxie-Plus 1.11.4

Is it a new installation of Sandboxie?

I have been using the same version for some time.

Is it a regression?

No response

In which sandbox type you have this problem?

Not relevant to my request.

Can you reproduce this problem on a new empty sandbox?

Not relevant to my request.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

#
# Sandboxie configuration file
#

[GlobalSettings]
TemplateReject=7zipShellEx
TemplateReject=OfficeLicensing
TemplateReject=WindowsLive
TemplateReject=WindowsRasMan
DefaultBox=Sandbox
FileRootPath=\??\%SystemDrive%\Sandbox\%USER%\%SANDBOX%
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%_%SANDBOX%
IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session_%SESSION%
EnableWin32kHooks=n

[UserSettings_08DA01C0]
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
SbieCtrl_EnableAutoStart=y
BoxGrouping=:Sandbox

[Sandbox]
Enabled=y
BlockNetworkFiles=y
RecoverFolder=%Desktop%
RecoverFolder=C:\Users\User\Downloads
BorderColor=#0000ff,on,6
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
UseFileDeleteV2=y
UseRegDeleteV2=y
AutoRecover=y
ClosePrintSpooler=y
NotifyProcessAccessDenied=y
CopyLimitKb=8192
AllowBoxedJobs=y
CopyBlockDenyWrite=y
NotifyDirectDiskAccess=y
DropAdminRights=y

[gettysburg]

@DavidXanatos Can you reproduce this on your system?

If not, I could write a small library to (inline) hook the code in DoAboutDialog and always make it show the dialog in question.

I could also tamper with the InstallDate and LastReminder variables.

Let me know if the same behavior occurs on your end.

[DavidXanatos]

I cant reproduce this issue right now, does anyone else has this issue?

[gettysburg]

I will post a dump of the frozen process the next time this happens for sure, but yeah, input from other people would be valuable.

My system is a heavily modified Windows 11, well, actually something called Tiny11 (which basically takes a pristine Windows 11 image and removes all the junk, as well as the need for TPM 2.0, and some more system requirements), but I have no issues with any other executable or dynamic library, so this seems something Sandboxie related, maybe just an odd coincidence but nonetheless it happened to me more than once.

Still a bit annoyed that I didn't dump the frozen process when I had a chance to do so.

Maybe the call-stack of SandMan.exe gives you some insight?

In case you didn't know, if you load it's PDB into IDA, and rebase the segments to 0x1000 you will be able to jump to the offset displayed in the call-stack window, to the right side of SandMan.exe and the plus sign, and it will directly take you to the respective function and location where a call or jmp to another function happened, hence the new stack frame.

This is the only static analysis clue I could offer you in this situation, since I have no dump, and I don't feel like changing either the install or last reminder date to hopefully make the window appear.

[offhub]

I can reproduce this issue.

1. Install Sandboxie-Plus.
2. If a certificate was entered, remove it.
3. Stop Sandboxie with Maintenance > Stop All.
4. Manually change the Windows date to 1 year ahead (make sure you disable the 'set time automatically' option).
5. Run SandMan.exe and click 'Quit' when the reminder screen appears (if not, close SandMan.exe and start it again).

sbie3421rmndrqt01.mp4

[gettysburg]

@offhub Thank you for your confirmation.

I initially thought it was just my tampered-with operating system for a short period upon then realizing that everything else has been working just fine without any issues since the installation of said OS, Tiny11, around May earlier this year.