TOR Browser does not work why ?

[xame-arch]

SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034]
SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034]
SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 13 - firefox.exe [C0000034]
err=41020897 ... str1= ... str2= DefaultBox
err=41020897 ... str1= ... str2= DefaultBox
err=41020897 ... str1= ... str2= DefaultBox
SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 15 - firefox.exe [C0000034]
SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 15 - firefox.exe [C0000034]
SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 6 - firefox.exe [C0000034]
err=41020897 ... str1= ... str2= DefaultBox
err=41020897 ... str1= ... str2= DefaultBox
err=41020897 ... str1= ... str2= DefaultBox
err=41020897 ... str1= ... str2= DefaultBox
err=41020897 ... str1= ... str2= DefaultBox
err=41020897 ... str1= ... str2= DefaultBox
SBIE2203 Failed to communicate with the service Sandboxie: request C0000037
SBIE2203 Failed to communicate with the service Sandboxie: *GUIPROXY_00000002; MsgId: 14 - SandboxieRpcSs.exe [C0000080]

[isaak654]

@xame-arch
What about your Windows Version, Sandboxie version, Tor Browser version?

In my case, all 64-bit versions of Tor Browser don't work.

This is the error I receive after pressing the connect button in the dialog mask (tested with Sandboxie-Plus 0.6.7 and "torbrowser-install-win64-10.0.11_en-US.exe" on a Windows 10 2004 x64):
https://git.io/JtVGj

I can't navigate in the address bar. But outside of my empty sandbox, Tor browser 64-bit works fine.

I already know the workaround to use Tor Browser 32-bit (posted in #412), but not the technical reasons behind this incompatibility.

[xame-arch]

https://www.hybrid-analysis.com/sample/59e610eca00e3ce8bf1f584bdfbbce49ac0ace809d9bc09e4e6d214d972e1877/60194cb7c9be162e1832580b
See link above in the ATT&CK™ MITRE ATT&CK™ Detection Techniques
Perhaps because of the "Kernel Modules and Extensions" or the "Process Injection" perhaps it would be necessary to ask the developer of TOR to detect Sandboxie and in this configuration not to use "Kernel Modules and Extensions" or so that Sandboxie supports it that it is manufactured like the proof of concept in 2006 "Blue Pill" which has the privilege Ring 0 or that Sandboxie is Bootkit.

[Oridjinn1980]

I've also been trying to get TOR (10.0.11) to work in Sandboxie-Plus (0.6.7) on my windows 10 64bit desktop, but I seem to be facing the same issue as isaak654! I can run a normal firefox installation fine in all my sandboxes, but if I try to start TOR, at some point during it's startup, I get an error message that pops up (see attached).

[0x391F]

I've also been trying to get TOR (10.0.11) to work in Sandboxie-Plus (0.6.7) on my windows 10 64bit desktop, but I seem to be facing the same issue as isaak654! I can run a normal firefox installation fine in all my sandboxes, but if I try to start TOR, at some point during it's startup, I get an error message that pops up (see attached).

+1. The same problem, but my Sandboxie version is 0.7.1/5.48.5.

[DavidXanatos]

this is supposed to be open source, where can I find the sources

[0x391F]

Tor
https://github.com/torproject/tor

Firefox
https://ftp.mozilla.org/pub/firefox/releases/

[DavidXanatos]

Thats not what I need!
the tor browser is a Firefox fork its not original its modified, i would like these the modifications, so i need the altered sources not the originals from mozilla.

[DavidXanatos]

Seams the sources are here: https://gitweb.torproject.org/tor-browser.git

but I don't find the versions they offer fro download: https://dist.torproject.org/torbrowser/

Also strangely a similar official Mozilla 64 bit version works just fine.
When I prevent the hooking of NtOpenFile NtQueryAttributesFile and NtQueryFullAttributesFile
the SbieDll.dll loads just fine, but than it crashes some ware else, apparently the ntdll hooks are somehow not properly functional, when I prevent the hooking of all ntdll functions it starts fine, it even loads websites ok,
unfortunately it randomly crashes a minute or two later.

When I do the same with a original firefox it runs and does not crash.

Well enough time wasted, since Sbie works fine with original firefoxes and since the behavior observed does not seam to be a intentional mitigation, but rather a failure of the hooking mechanism during the image loading stage, the ball is imho on the to dev's side. Please complain with them to fix whatever they broke.

if you set MOZ_DISABLE_CONTENT_SANDBOX=1 as an environment variable that disables the Firefox sandbox and than you can start it.

[0x4E69676874466F78]

@DavidXanatos
10.0.12 based on Mozilla Firefox 78.8.0esr
https://gitweb.torproject.org/tor-browser.git/tag/?h=tor-browser-78.8.0esr-10.0-1-build1
Perhaps the 64bit version has dll injection protection.

[isaak654]

There is a new open issue about it at their Gitlab repository:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40371

[xame-arch]

Tor 32 bit seems to work much better with Openfilepath and Openpipepath, OpenKeypath, OpenLpcPath, OpenWinClass.
I haven't been able to use OpenClsid, so I'm not sure what it's for and how to make it work. I think I saw a program dllhost.exe running in the sandbox while before no I do not know if the Open represents a risk I noticed that it asks me more the file chains to recover. I also tested a 32 bit Tor installation and it works but only half in the chosen language. Also, at the time of installation it asks me to enlarge the sandbox for xul.dll to more than 10000 but if I do it afterwards it will do the same for a video on the VLC software but it doesn't work afterwards.
On the other hand an installation of tor 64 bit will simply not start error 0xc00005 if I remember well
It's a lot of data, I didn't do the logs, you said before that disabling the hooking works but then crashes, with the "Open" configured it doesn't crash?
The difference between 32 bit and 64 bit seems to be another Process Injection "Allocates virtual memory in a remote process" and Query Registry "Queries sensitive IE security settings and Reads the windows installation date"
Does Sandboxie support process injection?

Tor 32 bit
https://www.hybrid-analysis.com/sample/47ff902239d5349cd1e8b07bb0a6024dbfb21a195e7349cb0a02f4e3867a1e1b/6069ebcec1966518537f5cb7
and
https://otx.alienvault.com/indicator/file/47ff902239d5349cd1e8b07bb0a6024dbfb21a195e7349cb0a02f4e3867a1e1b

Tor 64 bit
https://www.hybrid-analysis.com/sample/b5a7863443ce1d82fcab0533b12947e91400d1117b677b56a887b867feb732ae/60701033d868c06a7d2735e8
and
https://otx.alienvault.com/indicator/file/1e231319b40f0d6efbb111e1236fee0d27c2c4a8bd77041df1a4832d827e89ea

[isaak654]

Does Sandboxie support process injection?

@xame-arch
You might want to look at the documentation and/or using the repository search for further info:

Sandboxie/Sandboxie/install/Templates.ini

Lines 2530 to 2532 in c2f38e0

	HostInjectDll=\SboxHostDll.dll
	HostInjectDll64=\SboxHostDll.dll
	HostInjectProcess=OfficeClicktoRun.exe|ClickToRunSvc

[mutsuura]

I concur - latest 32-bit TOR browser works w/ Sandboxie, latest 64-bit TOR browser does not work.

[isaak654]

According to my tests, the first 64-bit version to introduce the conflict with Sandboxie is torbrowser-install-win64-8.0a9_en-US.exe, while torbrowser-install-win64-8.0a8_en-US.exe is the latest to work with Sandboxie.

I shared this finding on the open issue at their GitLab repository.

Just in case, here there is a list of related commits:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/commits/tor-browser-60.0.1esr-8.0-1
(you would need to scroll it from top to bottom)

Release date of Tor Browser 8.0a9 x64 (the first release that broke Sandboxie support): 2018-06-25 12:59
Release date of Tor Browser 8.0a8 x64 (the last release with working Sandboxie support): 2018-06-09 19:07

[isaak654]

@DavidXanatos
I asked for help on the #tor IRC channel, so I have new interesting findings for this issue.

In short, this Sandboxie crash also applies to other Firefox x64 builds that use the same non-official toolchain, so it can't be considered a specific Tor Browser issue anymore:

#tor channel support about the Sandboxie crash report

tor: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40371 - Sandboxie software compatibility bug + a crash report
isaak654: Sandboxie developer already looked at it, and he states it's something you need to fix about content sandboxing in x64 builds
GeKo: yeah
GeKo: providing a patch would be much appreciated
GeKo: investigating that is likely to be non-trivial
isaak654: indeed, the last working Tor Browser release with Sandboxie is win64-8.0a8 (released in 2018), so I think it's time starting to find an interested developer
GeKo: i suspect the problem is that we use a different compiler for windows binaries than mozilla by default
GeKo: however, you can verify that as mozilla is providing firefox build with the same toolchain
GeKo: let me find a Firefox x64 link for you to try
GeKo: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/RKlEsB7ETXSlpOh4SWYc7Q/runs/0/artifacts/public/build/target.zip
GeKo: you could try the bundle you get in target.zip
GeKo: i bet you have the same issue with sandboxie
GeKo: even though it's plain firefox code
isaak654: I can reproduce the Sandboxie issue with that Firefox Nightly x64 build too, and now?
GeKo: the next steps for you or anyone debugging this could be checking whether that happens with the debug version as well and/or whether newer/older compiler versions fix the problem
GeKo: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WsXatyNiRUWKG6TSUDbOaw/runs/0/artifacts/public/build/target.zip has the binaries for the debug build
isaak654: the Firefox debug build you passed me crashes the same, no change
GeKo: great
GeKo: now the excitment starts
GeKo: the debug build has debug symbols. someone should attach a debugger to it and then figure out what's going on
GeKo: OR someone could start bisecting the compiler/toolchain figuring out what is going on
GeKo: pick your poison :)
GeKo: fwiw, the ticket you wanted to link to is likely https://bugzilla.mozilla.org/show_bug.cgi?id=1461421
GeKo: we know, though, that this is not a tor browser issue
GeKo: it happens with firefox, too, provided you use the same non-official toolchain
GeKo: feel free to update the tor-browser ticket too with what you learned :)

[DavidXanatos]

I have investigated the issue further and found the problem, it will be fixed in one of the upcoming builds