In the second part of a two-part series, we will review each of the features in the order outlined above, provide background information about each one, explain their limitations and integrations, and offer installation details with tips on how to utilize them. Supporting graphics will also be included to make it easier to understand.
Reverse Engineering Utilising Windows Sandbox
What is Windows Sandbox?
Microsoft introduced a feature called Windows Sandbox in the May 2019 update. It is designed to provide a lightweight desktop environment to run applications in an isolated system. All software and applications installed inside this environment remain sandboxed and run separately from the host machine.
All files stored inside Windows Sandbox are temporary; once closed, all files and the state are deleted. However, with the Windows 11 22H2 update, the data will persist through a restart of the environment initiated inside the virtualised system. This new addition is intended to allow the installation of applications that require the OS to reboot.
Figure 1. Screenshot showing Windows Sandbox
How to Install It
Windows Sandbox is included in the core versions of Windows 10/11 Pro and Enterprise; it can be setup through the “Turn Windows features on or off” window.
Figure 2. Screenshot showing the Windows Features where Sandbox can be enabled or disabled
How Pen testers can use the sandbox
Now that we know what it is, how can this be used for penetration testing? We can use this feature in three ways for penetration testing; first, we can use it for testing thick clients or desktop applications, installing the software to this environment instead of our host machine. Second, if we perform a configuration review, we can use this environment to sign into the organisation accounts and keep them separate from our own. Finally, we can use this environment to test new tools and exploit scripts that require Windows to run without risking or endangering our host machine and network.
Figure 3. Screenshot showing a sample configuration file.
This configuration file can be used to control different settings inside the environment, such as:
- Enabling or disabling the virtualised GPU
- Enabling or disabling network/internet access for the system
- Specifying which folders on the host machine, if any, it can have access to and whether that access includes read or write permissions.
- Specifying how much memory the system is allowed to utilise.
- Specifying a command to be run whenever the environment is started.
If we were to start the Windows Sandbox environment using the sample configuration file above, we would get something like the following:
Figure 4. Screenshot showing the environment after using the configuration file.
This environment would have access to a selection of reverse engineering tools hosted in one of the folders we provided read access to. The virtual GPU and network access have been disabled for the environment as well, and we’ve allowed it to access our downloads folder.
Reverse Engineering Using Windows Sandbox
With an environment setup like this from the configuration file specified, we can easily install some common reverse engineering tools such as Immunity Debugger or IDA.
Figure 5. Screenshot showing the environment after installing Immunity Debugger and IDA
These reverse engineering tools will still work and function as they would on any other Windows environment but are isolated from your host machine in the same way as if you were running a Windows virtual machine inside VMWare or VirtualBox. Below are examples of four reverse engineering tools that can be run and utilized inside the sandbox environment, using Vulnserver as a target .exe file for each.
Immunity Debugger
Figure 6. Screenshot showing Immunity Debugger running inside the Sandbox
IDA
Figure 7. Screenshot showing IDA running inside the Sandbox
dnSpy
Figure 8. Screenshot showing dnSpy running inside the Sandbox
Radare2
Figure 9. Screenshot showing Radare2 running inside the Sandbox
Reminder
While this is a security feature that Microsoft added to help protect users of Windows from malware, it can still become an avenue of attack for malicious parties.
In 2020, a Reverse Engineer, Jonas Lykkegaard, released a zero-day vulnerability in Windows Sandbox on Twitter.
https://twitter.com/jonasLyk/status/1300935382561894403
It allowed an unprivileged user to create an arbitrary file in the C:\Windows\System32 folder during the activation of Windows Sandbox; this exploit required Hyper-V to be active on the machine in question.
Conclusion
What Good Are These for Us?
To conclude, what good are these for us as penetration testers, and why would we want to use them over something like VMWare or VirtualBox for normal VMs and Android Studio for emulators?
To begin with, they are faster to use and use fewer resources than the products. There is no need to wait for VMWare or VirtualBox to open and boot up the OS before you can access any tools within.
As previously mentioned, there is also built-in integration between the host Windows operating system and these platforms. They are intended to add additional functionality and features to enrich the Windows operating system, and as such, more integrations will be added over time.
If corporate policies block the installation and use of VMWare or VirtualBox, these features can bypass this policy. Alternatively, if your organisation uses Azure VMs, then VMWare and VirtualBox cannot be installed on the system.
I was talking to a client recently who stated that he was not allowed to install VMWare or VirtualBox on his corporate machine to host a Kali Linux virtual machine. However, he got around this by installing the Kali Linux WSL image.
Honourable Mentions
Before we wrap this blog post up, there are some additional features introduced by Windows that deserve mention but do not warrant proper inclusion.
In 2020, Microsoft released the Windows Package Manager, allowing users to install applications and services from the command line. It can be run from PowerShell or Command Prompt using the command winget.
In 2022, Microsoft also released Dev Tunnels, a feature that allows users to share local web services on their machine across the internet.
In the August 2023 update for VS Code, Microsoft introduced a feature to allow for locally running services to be shared over the internet.
In 2019, Microsoft launched Windows Terminal, a terminal emulator. It became the default terminal application in Windows 11 and can be installed in Windows 10 through the Microsoft Store. It has a few useful features, such as window splitting and Quake Mode.