From e0e4b8882ef4f55a31c4ab6e6fd0c15d0799a1da Mon Sep 17 00:00:00 2001
From: DavidXanatos <3890945+DavidXanatos@users.noreply.github.com>
Date: Mon, 2 Sep 2024 12:44:30 +0200
Subject: [PATCH] 1.14.7

---
 CHANGELOG.md             |  2 +-
 Sandboxie/core/dll/ipc.c | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 07c311fede..b7f8d5e9fa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,7 +20,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 ### Fixed
 - fixed and improved HideDiskSerialNumber option causes applications to crash [#4185](https://github.com/sandboxie-plus/Sandboxie/issues/4185)
 - fixed encrypted proxy password was inproeprly formated [#4197](https://github.com/sandboxie-plus/Sandboxie/issues/4197)
-
+- fixed NtQueryDirectoryObject (you should not return "STATUS_MORE_ENTRIES") as this is a EASY Sandbox Detection [#4201](https://github.com/sandboxie-plus/Sandboxie/issues/4201)
 
 
 ## [1.14.6 / 5.69.6] - 2024-07-30
diff --git a/Sandboxie/core/dll/ipc.c b/Sandboxie/core/dll/ipc.c
index e9b0876a4e..2e4b6ae690 100644
--- a/Sandboxie/core/dll/ipc.c
+++ b/Sandboxie/core/dll/ipc.c
@@ -4321,7 +4321,7 @@ _FX NTSTATUS Ipc_NtQueryDirectoryObject(
 
         ULONG len = sizeof(OBJECT_DIRECTORY_INFORMATION) + (cur->Name.MaximumLength + cur->TypeName.MaximumLength) * sizeof(WCHAR);
 
-        if (TotalLength + len > Length)
+        if (Buffer && TotalLength + len > Length)
             break; // not enough space for this entry
 
         CountToGo++;
@@ -4331,6 +4331,15 @@ _FX NTSTATUS Ipc_NtQueryDirectoryObject(
             break;
     }
 
+    //
+    // probe case
+    //
+
+    if (!Buffer) {
+        if (ReturnLength) *ReturnLength = TotalLength;
+        return STATUS_BUFFER_TOO_SMALL;
+    }
+
     //
     // fill output buffer
     //