A plugin written for sandboxie-plus to combat the detection of sbiedll.dll.
- Bypasses common sandbox detection methods
- Supports both 32-bit and 64-bit applications
- Includes advanced TLS-based detection countermeasures
- Easy integration with Sandboxie-Plus
Compile this plugin or download pre-compiled files from Release.
Important: Ensure the plugin filename contains the string 'sbiehide', otherwise it will not hide itself.
Open the Sandboxie-Plus configuration file and add the following configuration to the sandbox that needs to hide from inner programs:
InjectDll64=Path\to\64\SbieHide.dll
InjectDll=Path\to\32\SbieHide.dllFor applications that use TLS (Thread Local Storage) for detection, we have added SbieHideEx and SbieHideExLoader.
Usage:
Usage: SbieHideExLoader.exe <target_executable> [arguments...]Note: If you use SbieHideEx, you should NOT use the standard SbieHide plugin. Choose one method only.
The following detection techniques have been successfully bypassed:
-
PEB (Process Environment Block) manipulation:
- Peb->InLoadOrderModuleList
- Peb->InMemoryOrderModuleList
- Peb->InInitializationOrderModuleList
- Peb->HashLinks
-
Windows API hooking:
- NtQueryVirtualMemory [MemoryBasicInformation|MemoryMappedFilenameInformation|MemoryRegionInformation|MemoryImageInformation|MemoryRegionInformationEx|MemoryEnclaveImageInformation|MemoryBasicInformationCapped]
- NtQueryObject [ObjectNameInformation]
- NtQueryInformationFile [FileNameInformation|FileAllInformation]
- NtQuerySection [SectionOriginalBaseInformation]
-
TLS-based detection (SbieHideEx only)
If some applications still detect sbiedll.dll, please:
- Verify you're using the correct method (SbieHide vs SbieHideEx)
- Ensure the plugin filename contains 'sbiehide'
- Check that the configuration is properly applied
- Create an issue with a sample application for further investigation
SbieHide is licensed under the MIT License. Dependencies are under their respective licenses.