Ohook in Sandboxie

[giiutfff]

I am trying to install Office 2019 in Sandboxie to have another layer of protection of vulnerabilities like CVE-2023-21716. Despite successfully installed Office in Sandboxie, the activation does not work.

Hoping Ohook can solve this, but it seems Ohook relies on sppsvc which is not working correctly in Sandboxie.

Specificity:

1. Manually install the Ohook, because the cmd does not work in Sandboxie. And key is not installed, because slmgr does not work neither.
2. start office app, it reports damaged after running a few minutes
3. restart the app, it becomes deactivated

Is there any way to make Ohook works in sandboxie?

Regards.

[thecatontheceiling]

Have you tested if Office works before you do anything Ohook related?

Either way I personally don't think sandboxing Office is a reasonable thing to do. Office 2019 still has support, just keep it up to date.

The CVE you linked to was fixed 2 years ago, and was privately disclosed to Microsoft and fixed before the existence of it became public. These high severity vulnerabilities for Office come around very rarely and are fixed extremely quickly by Microsoft

[thecatontheceiling]

If you insist, we still cannot help you with this, Ohook (and by extension Office) requires access to Windows licensing components, even before the Office installer is finished. If sandboxing doesn't allow for this kind of access to these components, we cannot help you.

I'd suggest just installing Office outside of a sandbox instead.

[thecatontheceiling]

Office 2019 has support left until October 2025, Office 2021 has support until October 2026

[giiutfff]

Have you tested if Office works before you do anything Ohook related?

It works in demo mode, aka not activated.

Either way I personally don't think sandboxing Office is a reasonable thing to do. Office 2019 still has support, just keep it up to date.

The CVE you linked to was fixed 2 years ago, and was privately disclosed to Microsoft and fixed before the existence of it became public.

Yes it is still supported, I just want an additional layer of protection of unknown vulnerabilities. Considering that I need to view a lot of files from untrusted sources, and some with vba enabled.

If you insist, we still cannot help you with this, Ohook (and by extension Office) requires access to several licensing API's, if sandboxing doesn't allow it access to those API's (assuming that is the issue) we cannot help you.

Maybe remove the dependency of sppsvc?

You may try performing a normal online KMS activation using a 3rd party KMS server

KMS needs slmgr, so no.

if you're really desperate although I'd suggest just installing Office outside of a sandbox instead.

Nope, that will leave C2R outside the sandbox and is very dangerous, basically opening holes in the sanboxie by allowing a bunch of IPC of C2R.

[giiutfff]

Office 2019 has support left until October 2025, Office 2021 has support until October 2026

That's less than a year, and Office 2021 does not even install in sandbox.

BTW, You guys reply fast 🤣

[thecatontheceiling]

No, you can't just "remove" dependencies like that without resorting to extremely hacky things and without facing issues. Unfortunately Microsoft Office wasn't designed with that in mind.

If you're really this paranoid, I'm pretty sure there's a free online version of Office available by Microsoft somewhere, I used to use it for some time before Ohook was a thing. Again I'll just say, in my opinion, there's very little reason to be this paranoid.

You can also look into Microsoft Office alternatives that would likely work under a sandbox (OnlyOffice, LibreOffice, etc.).

[ave9858]

Just virtualize office instead of relying on some shitty sandboxing software which exposes a huge attack surface

[thecatontheceiling]

BTW, You guys reply fast 🤣

I just happened to check my phone a few minutes after you made the issue :P

[giiutfff]

No, you can't just "remove" dependencies like that without resorting to extremely hacky things and without facing issues. Unfortunately Microsoft Office wasn't designed with that in mind.

I thought Ohook is already extremely hacky, because it does not need a KMS or anything like that.

If you're really this paranoid, I'm pretty sure there's a free online version of Office available by Microsoft somewhere, I used to use it for some time before Ohook was a thing. Again I'll just say, in my opinion, there's very little reason to be this paranoid.

You can also look into Microsoft Office alternatives that would likely work under a sandbox (OnlyOffice, LibreOffice, etc.).

As I said some files are vba enabled, and non of these apps support it.

Just virtualize office instead of relying on some shitty sandboxing software which exposes a huge attack surface

That is actually doable, but with a huge overhead. And moving files in and out of the VM is also a headache. That is why I am trying to use sandbox. And sandbox is NOT shitty, provided you configure it correctly.

[thecatontheceiling]

VMWare is pretty fast for all of my tests (even when I allocate it a whopping two cores). I'm certain Office would work fine lol. It's definitely better than trusting your sandbox to keep you safe. It's inherently a lot more insecure than virtualization and would not be a bad alternative considering you're very paranoid about the files you're opening

Sandboxes are "shitty" because it's not possible to completely isolate anything on Windows without involving some kind of virtualization.

[thecatontheceiling]

I thought Ohook is already extremely hacky

Ohook is a dll proxy. Nothing about it is hacky really.

[giiutfff]

VMWare is pretty fast for all of my tests. I'm certain Office would work fine lol.

Totally agree. But it is a lot less convenient. As sandboxie can automatic move files in and out.

It's definitely better than trusting your sandbox to keep you safe. It's inherently a lot more insecure than virtualization and would not be a bad alternative considering you're very paranoid about the files you're opening

That is why I do not want to install Office out side of sandbox and run it in side (BTW it work absolutely fine this way). To prevent IPC holes 🤔, I need to install everything inside the sandbox.

Sandboxes are "shitty" because it's not possible to completely isolate anything on Windows without involving some kind of virtualization.

I do not think there is any virtualization. It just replaces some system service and blocks the rest. And yes, things like screen capture is not blocked, but I just firewall it, so that is not a privacy issue.

[giiutfff]

Ohook is a dll proxy. Nothing about it is hacky really.

Maybe reimplement sppc instead of just a proxy? Is that possible? I know some C++ if it matters.

[thecatontheceiling]

Sorry but we really can't help you with this. The best solution we can offer is just using a VM for office. Good luck getting activation to work correctly in any sort of capacity while Office is under a sandbox

[giiutfff]

Sorry but we really can't help you with this. The best solution we can offer is just using a VM for office. Good luck getting activation to work correctly in any sort of capacity while Office is under a sandbox

OK, I will look for other solutions. Thanks.