New Column: AppContainer
Posted: 22 Feb 2019 17:15
I would like to request the addition of a new column in Process Hacker that a user can optionally select; AppContainer.
Process Hacker (nightly builds) only labels some process as AppContainer within the Token tab. I propose having two columns because not all Untrusted or Low integrity processes are AppContainer. So I would not suggest to do this the way that Process Explorer has done it.
For an example, please see the TokenViewer binary from James Forshaw's sandbox-attacksurface-analysis-tools. James is Chrome/Chromium's sandboxing wizard for Windows and I believe is also with Project Zero right now. Please see the latest binaries available: https://github.com/googleprojectzero/sa ... s/releases
You will see that TokenViewer has two columns: Integrity Level as well as AppContainer
The AppContainer column is quite simple by simply showing True or False.
Personally, if this AppContainer column is implemented, it would be good to also show the more recent LPAC (Less Privileged AppContainer) differentiated from regular AppContainer. So the column contents could be: AC, LPAC or blank.
For some details on LPAC, see: https://github.com/M2Team/Privexec/issues/12
Essentially relating to the WIN://NOALLAPPPKG security attribute.
@dmex By the way, I want to Thank You for your recent work with adding Capabilities in recent Nightly builds. Absolutely fantastic work!
Thank you for your time.
Process Hacker (nightly builds) only labels some process as AppContainer within the Token tab. I propose having two columns because not all Untrusted or Low integrity processes are AppContainer. So I would not suggest to do this the way that Process Explorer has done it.
For an example, please see the TokenViewer binary from James Forshaw's sandbox-attacksurface-analysis-tools. James is Chrome/Chromium's sandboxing wizard for Windows and I believe is also with Project Zero right now. Please see the latest binaries available: https://github.com/googleprojectzero/sa ... s/releases
You will see that TokenViewer has two columns: Integrity Level as well as AppContainer
The AppContainer column is quite simple by simply showing True or False.
Personally, if this AppContainer column is implemented, it would be good to also show the more recent LPAC (Less Privileged AppContainer) differentiated from regular AppContainer. So the column contents could be: AC, LPAC or blank.
For some details on LPAC, see: https://github.com/M2Team/Privexec/issues/12
Essentially relating to the WIN://NOALLAPPPKG security attribute.
@dmex By the way, I want to Thank You for your recent work with adding Capabilities in recent Nightly builds. Absolutely fantastic work!
Thank you for your time.