4

My Windows XP/7 program launches a child process using the Windows API CreateProcess() function as part of its operations. I want to be able to "sandbox" the application in one but only one particular way. I do not want to let the child process spawn processes of its own (grandchildren). Is there a way to do this without having to do any hooking or DLL injections (or IAT patching)?

I saw this MSDN page on Process Security and Access Rights:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx

I noticed the following process specific access rights:

PROCESS_CREATE_PROCESS (0x0080) Required to create a process.

Could I launch the child process in the suspended state, remove that access right via an XOR operation, update the child process' access rights with SetSecurityDescriptor(), and resume it to keep it from creating its own child processes? Or should I apply it to the EXE file on disk instead? Would this work?

If so, I'd appreciate a good code sample using SetSecurityDescriptor() that would show me the nuances of doing this propertly. If this approach would not work, any ideas or tips you might have would be appreciated.

Robert Oschler
  • 14,153
  • 18
  • 94
  • 227

1 Answers1

8

You can use Job objects to set limits on the processes in a job: JOBOBJECT_BASIC_LIMIT_INFORMATION.ActiveProcessLimit

Anders
  • 97,548
  • 12
  • 110
  • 164
  • Thanks @Anders. If you come across a code sample, please let me know. – Robert Oschler Jan 22 '12 at 03:51
  • 1
    @RobertOschler Except for the port completion (which you don't need for your task) dealing with job objects is easy enough: Create a job object, set the limits, create a suspended process and add this process to the job before you resume it... – Anders Jan 22 '12 at 03:54
  • 1
    I don't have a compiler on this machine but it should be something like http://pastebin.com/8EntStEu – Anders Jan 22 '12 at 04:16