跳转至

SBIE2329

Message SBIE2329 Failed to find FFS sequence %2

Severity: Error (popup)

Description

This message is raised when Sandboxie's DLL hook installer attempts to find a Fast-Forward Sequence (FFS) target for a function but cannot recognise the expected instruction pattern. Sandboxie uses FFS detection to follow small trampoline stubs (commonly used by browsers or other applications) to the real/native target and install hooks there. When that sequence cannot be found or resolved, SBIE2329 is logged and the hook installer may fall back to a different hooking strategy or report failure.

The message includes the name of the function for which the FFS sequence could not be found.

Typical Causes

  • The target binary has changed (new browser or application version) and the heuristic patterns no longer match.
  • The function prolog is compiled or optimized differently (different toolchain, compile-time options) so the FFS pattern is not present.
  • The code is obfuscated, packed, or replaced by a small stub that doesn't contain the expected FFS table/pointer.
  • Architecture/compatibility differences (x86 vs x64 vs ARM) where the available heuristics don't cover the observed pattern.

Suggested Actions

  1. Update to the latest Sandboxie build — hook heuristics are updated periodically to handle new browser/application layouts.1
  2. Test with a different build or vendor of the same program (a different Chromium-based build, a different Firefox build) to confirm whether the issue is specific to a particular build.2
  3. If hooking for that specific function is non-essential, disable the heuristic for it by skipping the function/module from hooking (use the function-level or module-level skip settings or the tracing/hook-skip configuration exposed by the DLL). This prevents the FFS resolution attempt for the named function.3
  4. Collect diagnostics to report to maintainers: process image name, module name and base, function name (as reported in the popup), OS build, and a small memory dump or disassembly of the function prolog so maintainers can update the heuristic.4
  • SBIE2303 — Generic hook error used for various hook failures
  • SBIE2328 — Failed to resolve chrome sandbox hook (Chrome/Firefox trampoline heuristics)

Implementation notes and footnotes

These notes are for maintainers and advanced users who want to trace how and where SBIE2329 can be produced. Line numbers are intentionally omitted.

  1. The FFS detection and resolution helpers are implemented in common/hook_util.c (functions such as Hook_GetFFSTarget, Hook_GetFFSTargetOld, and Hook_GetFFSTargetNew). These functions contain the architecture-aware heuristics that recognise FFS prolog sequences and resolve them to the real/native target address. 

  2. The DLL hook installer (core/dll/dllhook.c) calls Hook_GetFFSTarget() when attempting to install a hook. If no FFS target is found the hook path logs SBIE2329 via a call to the logging API (the code calls SbieApi_Log(2329, ...) for unresolved FFS cases) and records hook statistics indicating the absence of an FFS target. 

  3. Hook_GetFFSTarget() is reused from other places that rely on the same resolution logic (for example injection and tracing code paths in core/low/inject.c and core/dll/gui.c), so failures may surface in multiple subsystems when the same heuristic cannot resolve a trampoline. 

  4. When filing bug reports, include the function name shown in the popup and the module image (or a small extracted prolog/disassembly). That information is typically sufficient for maintainers to reproduce the pattern and extend the heuristic.