 |
|
majoMo
| Joined: 30 Jun 2008 |
| Posts: 13 |
|
|
|
 Posted: Mon Dec 14, 2009 12:32 am |
|
 |
 |
|
|
Your research work is correct:
HKLM and HKU contain all registry data. HKCR, HKCU and HKCC are just links.
Root Key Equivalent
HKCR HKCU\Software\Classes + HKLM\SOFTWARE\Classes
HKCU HKU\SID
HKCC HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current |
 |
|
|
 |
 | |  |
|
nick s
| Joined: 20 Dec 2008 |
| Posts: 329 |
|
|
|
| Posted: Mon Dec 14, 2009 6:41 am |
|
|
|
|
|
| Buster wrote: |
| Well, I found that if you modify something in HKEY_USERS\S-1-5-18 the change will appear under HKEY_USERS\.DEFAULT...... |
I see that when I run List Registry Links unsandboxed...
c:\files\listregistrylinks>ListRegistryLinks.exe hku
"hku\S-1-5-21-25130506-776034094-9161161-1001\Software\Classes" -> "HKU\S-1-5-21
-25130506-776034094-9161161-1001_Classes"
"hku\Sandbox_Nick_DefaultBox\user\current\software\classes" -> "HKU\Sandbox_Nick
_DefaultBox\user\current_classes"
"hku\S-1-5-18" -> "HKU\.Default"
c:\files\listregistrylinks> |
It's interesting to watch the continuous symbolic registry link activity when running ListRegistryLink sandboxed. |
|
_________________
Nick
|
|
| | |
|
bs1
| Joined: 16 May 2008 |
| Posts: 527 |
|
|
|
| Posted: Wed Dec 16, 2009 3:25 pm |
|
|
|
|
|
Buster,
It looks like you're getting some notoriety. (Scroll down to the "Tests and malware analysis tools" section.) Congrats.  |
|
_________________
Desktop: XP Pro SP3 32bit, Sandboxie 3.72, NOD32 AV, MBAM (free), Windows Firewall + router
Laptop: Win7 Home Pro 64bit, Sandboxie 3.76, Panda Cloud (free), Windows Firewall
|
|
Ruhe
| Joined: 03 Jul 2008 |
| Posts: 803 |
| Location: Germany |
|
|
| Posted: Fri Dec 18, 2009 8:13 am |
|
|
|
|
|
As hoster of BSA I can confirm this, as I see at the traffic on the domain.
|
|
|
|
jumanji
| Joined: 31 Dec 2009 |
| Posts: 6 |
|
|
|
| Posted: Fri Jan 01, 2010 1:31 am |
|
|
|
|
|
Great buster keep up the good work.
|
|
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Fri Jan 01, 2010 7:13 pm |
|
|
|
|
|
Buster Sandbox Analyzer 1.06 has been released.
Change list:
Added Sandboxie hidden capabilities
Improved BSA.DAT (thanks to nick s)
Fixed a bug in Buster Sandbox Analyzer
LOG_API library completely rewritten
|
|
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Fri Jan 01, 2010 7:19 pm |
|
|
|
|
|
Note for the people interested in hiding Sandboxie:
Read BSA.PDF to know how to hide Sandboxie. Itīs not necessary you run BSA to hide Sandboxie. Itīs only necessary you inject LOG_API.DLL and run the driver to hide processes.
|
|
|
|
| | |
|
hotmog
| Joined: 22 Nov 2009 |
| Posts: 41 |
| Location: Worcester Park, Surrey, UK |
|
|
| Posted: Sat Jan 02, 2010 4:22 pm |
|
|
|
|
|
Hi Buster
I downloaded BSA today, and have followed the instructions to install and use it, including renaming LOG_API.DLL to an aleatory name as recommended. All the files are in a folder called "BSA" in the C:\ root directory.
I've created a new sandbox called BSA specifically for when I want to run the analyzer, which has auto-delete turned off. However I also added the two command lines:
InjectDll=c:\bsa\log_api.dll (with log_api.dll amended to its aleatory name)
OpenWinClass=TFormBSA
to the Defaultbox settings.
The Defaultbox is configured to force iexplore.exe to run within it whenever IE is opened outside the sandbox. Now, whenever I open IE, I get an SBIE2313 error "Could not execute SandboxieRpcSs.exe", and SBIE2204 "Cannot start SandboxieRpcSs service".
However, if I terminate all sandboxed processes, then right-click on the Defaultbox and select Run Web Browser, IE opens normally. Once that has happened, I can click on the IE icon from the taskbar to launch another instance of IE OK, with no errors.
Any idea what's causing this, and how it can be resolved?
|
|
_________________
Hotmog's Victorian Breweriana - (link removed)
|
|
| | |
|
nick s
| Joined: 20 Dec 2008 |
| Posts: 329 |
|
|
|
| Posted: Sat Jan 02, 2010 5:52 pm |
|
|
|
|
|
| hotmog wrote: |
| Any idea what's causing this, and how it can be resolved? |
During the 1.06 betas, Buster explained the issue this way: log_api.dll intercepts GetModuleHandle requests for SbieDll.dll and returns "nothing found". This is desirable when running sandboxed malware that tries to detect Sandboxie. Unfortunately, it breaks forced programs. It's best to have a dedicated sandbox for use with BSA and set another sandbox to manage your forced programs. |
|
|
|
| | |
|
hotmog
| Joined: 22 Nov 2009 |
| Posts: 41 |
| Location: Worcester Park, Surrey, UK |
|
|
| Posted: Sat Jan 02, 2010 6:26 pm |
|
|
|
|
|
Thanks for that info, Nick. I've now removed those two command lines from the Defaultbox configuration settings.
| Buster wrote: |
Note for the people interested in hiding Sandboxie:
Read BSA.PDF to know how to hide Sandboxie. Itīs not necessary you run BSA to hide Sandboxie. Itīs only necessary you inject LOG_API.DLL and run the driver to hide processes. |
Just tried it - I rather like that! Surprisingly, it still runs in "stealth" mode even though only the Defaultbox is opened, which doesn't now have the InjectDll command.
I don't suppose there's any chance of enabling some sort of facility to retain/load the initialization parameters - ie driver path & process names - in a configuration file, rather than having to store them in a text file and paste them into the HideDriverGUI.exe program every time I want to run it? Also will it work with non-Sandboxie processes (I was thinking of Shadow Defender, for example)? |
|
|
|
| | |
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Sat Jan 02, 2010 7:39 pm |
|
|
|
|
|
This feature has been requested to the guys who coded the driver to hide processes. Unfortunately they didnīt reply to it.
You can know more about the driver here:
http://www.codeproject.com/KB/system/hide-driver.aspx
Maybe someone with more experience than me in C++ would be able to add the feature.
I must say also that hiding Sandboxie is like a process in two steps. The driver to hide processes is the first part and injecting LOG_API.DLL would be the second.
I suggest you create a sandbox specifically for BSA and you add the injection of LOG_API.DLL in that sandbox and not in the defaultbox, where it will create problems with your forced programs. |
|
|
|
| | |
|
hotmog
| Joined: 22 Nov 2009 |
| Posts: 41 |
| Location: Worcester Park, Surrey, UK |
|
|
| Posted: Sat Jan 02, 2010 8:28 pm |
|
|
|
|
|
Hi Buster
I have already created a sandbox specifically for BSA, which has the InjectDll command for LOG_API.DLL. That command has been removed from the Defaultbox, and I no longer have an issue with IE. That is why I am surprised that the Sandboxie processes still remain hidden when only the Defaultbox is opened (after rebooting & rerunning HideDriverGUI.exe).
I don't understand the significance of the inject dll stage. I had a look at your link, but I'm no C++ programmer either, so I'm afraid I'm none the wiser.
|
|
|
|
| | |
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Sat Jan 02, 2010 8:42 pm |
|
|
|
|
|
| hotmog wrote: |
Hi Buster
I have already created a sandbox specifically for BSA, which has the InjectDll command for LOG_API.DLL. That command has been removed from the Defaultbox, and I no longer have an issue with IE. That is why I am surprised that the Sandboxie processes still remain hidden when only the Defaultbox is opened (after rebooting & rerunning HideDriverGUI.exe).
I don't understand the significance of the inject dll stage. I had a look at your link, but I'm no C++ programmer either, so I'm afraid I'm none the wiser. |
The driver to hide processes takes care of the "more visible" components of Sandboxie: Sbiesvc.exe, SbieCtrl.exe, SandboxieDComLaunch.exe and SandboxieRpcSs.exe.
I mean that when you hide Sandboxie components you easily can check if they are hidden just opening the Task Manager and checking if they appear there.
But have you tried to check if SbieDll.Dll is visible when you donīt inject LOG_API.DLL? Do you know how to check that?
I suggest two programs to check:
1) Process explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
2) VMMap
http://technet.microsoft.com/en-us/sysinternals/dd535533.aspx
You can test this way:
Donīt inject LOG_API.DLL and sandbox NOTEPAD.EXE. Then open Process Explorer and select NOTEPAD.EXE process. Go to "View" -> "Show Lower Panel". Then "View" -> "Lower Pane View" -> "DLLs".
SbieDll.dll will be listed.
You can close Process Explorer but keep the sandboxed instance of NOTEPAD.EXE. Run VMMap and select NOTEPAD.EXE. Again you will see SbieDll.Dll
LOG_API.DLL makes invisibile SbieDll.Dll for such programs.
Test and let me know if thatīs right. |
|
|
|
| | |
|
hotmog
| Joined: 22 Nov 2009 |
| Posts: 41 |
| Location: Worcester Park, Surrey, UK |
|
|
| Posted: Sun Jan 03, 2010 12:08 am |
|
|
|
|
|
Hi Buster
Yes, you're dead right! Previously I only did a CTRL/ALT/DEL to check the processes, but when I ran Process Explorer using your instructions, SbieDll.Dll is indeed still visible.
Clearly, running Sandboxie in "stealth mode" by default is not going to be a feasible option for me. My wife uses this PC under her own user account; she neither knows, nor wishes to know, the ins and outs of Sandboxie. So the fact that Internet Explorer is sandboxed when she connects to the internet has to be completely transparent, hence IE being a forced program in the Defaultbox.
At least I understand a lot more now than I did earlier how to use your excellent add-on facility to Sandboxie, and can always run it completely "hidden" using my dedicated sandbox should I feel the urge. Many thanks for your sound advice.  |
|
|
|
You cannot post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 6 of 60
 Use the RSS feed to watch this topic for replies
|
|
|
|
| |
