Potential Handle Leak in SbieDll.dll Related to SbieApi_DeviceHandle

[DreamingB0y]

Describe what you noticed and did

Hello, Mr. David.

I believe I’ve identified a handle leak issue in the interaction between SbieDll.dll and SbieDrv.sys under specific conditions.

🔍 Reproduction Steps
Ensure SbieDrv.sys and SbieSvc.exe services are running.
In a test process, repeatedly:
LoadLibrary("SbieDll.dll")
FreeLibrary("SbieDll.dll")
Monitor handle count for the process using Process Explorer or similar tools.
Observe that the number of open handles to \Device\SandboxieDriverApi increases with each load/unload cycle — and never decreases.
🕵️ Root Cause Analysis
The issue stems from the initialization logic in HookInit() (called during DLL_PROCESS_ATTACH in DllMain):

When SbieDll.dll is loaded, HookInit() queries the registry setting "HookTrace".
During this process, if SbieApi_DeviceHandle is uninitialized (which it is on first load), the code calls NtOpenFile to obtain a handle to the driver.
However, when SbieDll.dll is later unloaded (DLL_PROCESS_DETACH), no corresponding CloseHandle(SbieApi_DeviceHandle) is called.
As a result, each LoadLibrary/FreeLibrary cycle creates a new device handle that is never released, leading to a persistent handle leak.
✅ Suggested Fix
To fix this issue, DllMain can be updated to include either CloseHandle(SbieApi_DeviceHandle) or SbieApi_Ioctl(NULL) when dwReason == DLL_PROCESS_DETACH

How often did you encounter it so far?

each time

Expected behavior

I hope you can fix this issue

Affected program

Not relevant

Download link

Not relevant

Where is the program located?

Not relevant to my request.

Did the program or any related process close unexpectedly?

No, not at all.

Crash dump

No response

What version of Sandboxie are you running now?

SandboxiePlus 1.16.6

Is it a new installation of Sandboxie?

I recently did a new clean installation.

Is it a regression from previous versions?

No response

In which sandbox type you have this problem?

In a standard isolation sandbox (yellow sandbox icon).

Can you reproduce this problem on a new empty sandbox?

I can confirm it also on a new empty sandbox.

What is your Windows edition and version?

All Windows OS Version

In which Windows account you have this problem?

Not relevant to my request.

Please mention any installed security software

Not relevant

Did you previously enable some security policy settings outside Sandboxie?

No response

Trace log

No response

Sandboxie.ini configuration

[DavidXanatos]

Well that will be so, but then you are not intended to load/unload/load/unload/load/unload the sbiedll.dll
in what real life scenario would that be the case?
SbieDll.dll also does not undo the hooks so unloading it will result in a crash after something has been hooked already.

[DreamingB0y]

Well that will be so, but then you are not intended to load/unload/load/unload/load/unload the sbiedll.dll in what real life scenario would that be the case? SbieDll.dll also does not undo the hooks so unloading it will result in a crash after something has been hooked already.

yeah, it is a potential stability issue, not critical.

[DavidXanatos]

I would be interested to know the usecase where you run into this issue.

[DavidXanatos]

So I have moved the hook trace init to other trace inits, it wont longer be triggered when just loading sbiedll.dll
And I have added a ntclose on dll unlload, which will be used when the dll was loaded by an unsandboxed process.
So 1. loading sbiedll.dll for otehr purposes wont connect to teh driver on load and 1. when functions were called that establich a conneciton it will be disconneced on unload.

[offhub]

Sandboxie no longer starts up correctly after this fix. (unkown user sid?)

[DavidXanatos]

indeed fix committed

[DreamingB0y]

ok, thanks for your fixing.