English | 中文
A lightweight, CLI-based, userspace sandbox for Windows using Job Objects, restricted tokens, and a broker-mediated hook architecture.
RightsBox separates security from compatibility: Windows security features lock down the sandboxed process's rights, while ntdll hooking and the broker restore controlled access to operations the process still needs.
The sandbox's security boundary is enforced entirely through the OS:
- Token restriction — Strips admin group SIDs, adds restricting SIDs, and lowers the integrity level to Low. The sandboxed process simply cannot access protected resources — no hook bypass can change that.
- Job Object confinement — Enforces UI limits and
KILL_ON_JOB_CLOSEto contain the entire sandboxed process tree.
A heavily restricted token breaks most programs. The hook layer restores selective access under policy control:
- Inline ntdll hooking — Intercepts syscalls (
NtCreateFile,NtOpenFile,NtOpenKey,NtCreateUserProcess, etc.) inside the sandboxed process. Operations that would fail due to the restricted token are caught before they hit the kernel. - Broker-mediated policy — Caught operations are forwarded over a named pipe to a medium-integrity broker running in the main process, which evaluates them against regex-based policy rules and performs them on behalf of the sandboxed process.
Child processes spawned inside the sandbox are automatically hooked, including cross-architecture scenarios (e.g., a 64-bit sandbox launching a 32-bit child).
| Binary | Role |
|---|---|
RightsBox.exe |
Main process (requires admin). Hosts the dispatcher, sandbox, and broker. |
RBoxRunner.exe |
Sandboxed launcher — spawned inside the sandbox with a restricted token, launches the user's target program. |
RBoxHook{64,32}.dll |
Hook DLL injected into every sandboxed process. Inline-hooks ntdll and routes blocked operations to the broker. |
RBoxInject{64,32}.exe |
Cross-architecture injection helper — used when a hooked process spawns a child of a different bitwidth. |
- Windows Vista or later (targets
_WIN32_WINNT=0x0600) - Administrator privileges
- Visual Studio 2022 Build Tools (MSVC, CMake)
cmake --preset vs2022-x64
cmake --build cmake-build-vs2022 --config DebugOutputs: cmake-build-vs2022/Debug/
powershell -File build-all.ps1 -Configuration DebugThis builds both x64 and x86 targets and stages all artifacts into dist/Debug/.
cmake --preset vs2022-x86
cmake --build cmake-build-vs2022-x86 --config DebugRightsBox.exe
Presents a menu:
- Run a program sandboxed
- Run as... (planned)
- Stop sandbox
- Options (planned)
- Exit
RightsBox.exe run_sandboxed <program_path> [args...]
Example:
RightsBox.exe run_sandboxed notepad.exe
RightsBox.exe run_sandboxed cmd.exe /k "echo Hello from sandbox"
The broker uses a regex-based policy engine. Rules can be loaded from a policy.conf file or fall back to built-in defaults.
# <action> <operation> <regex_pattern>
allow OPEN_FILE C:\\Users\\.*
deny DELETE_FILE C:\\Windows\\.*
allow QUERY_REG .*
deny * .*
- Actions:
allow,deny - Operations:
OPEN_FILE,DELETE_FILE,QUERY_FILE,OPEN_REG,QUERY_REG,WRITE_REG,OPEN_PROCESS,PING, or*(any) - First matching rule wins; default is deny
When no policy.conf is present, the built-in defaults:
- Allow file reads from
C:\Users\andC:\Windows\ - Deny file deletion in
C:\Windows\ - Allow registry reads and process queries
- Deny everything else
rightsbox/ Main executable: entry point, dispatcher, sandbox setup, IOCP monitoring
broker/ Broker server: named pipe listener, policy engine, wire protocol
hook/ Hook DLL: inline ntdll hooks, embedded broker client
inject/ Cross-architecture injection helper
runner/ Sandboxed launcher (RBoxRunner)
utils/ Token manipulation and OS version utilities
MIT License. See source files for details.