www.sandboxie.com :: View topic

Posted: Wed Feb 03, 2010 5:20 pm

Guest10: Thanks for the side note!

I may include it in BSA´s manual.

Posted: Thu Feb 04, 2010 12:06 pm

Released Buster Sandbox Analyzer 1.10.

Change list:

Added File Hash, File Strings and some other features

New features don´t improve malware detection capabilities but may be of help to malware analyzers.

Posted: Sat Feb 06, 2010 9:23 am

In one of my first posts on this thread I wrote:

Quote:

Additional notes:

BSA reflects the changes that would be made to system. Temporal changes are not showed. e.g. if a file is created inside the sandbox and later is deleted before processes are terminated. The same for registry entries.

In current versions of BSA temporal changes on file and registry can be checked reviewing LOG_API.TXT.

Posted: Sun Feb 07, 2010 9:53 pm

After downloading BSA now from http://bsa.qnea.de/bsa.rar with up-to-date "Webroot Anti-Virus with Spy Sweeper" running in the background gave the following warning from Webroot at the end of uncompressing with 7Zip:

"Mal/HckPk-A is attempting to access the file system"

with log note "File System Shield: found: Virus: Mal/HckPk-A, version"

Posted: Mon Feb 08, 2010 12:17 am

Could you send the package to Webroot´s support team and ask them to remove the false positive, please?

That´s a generic detection:

http://www.sophos.com/security/analyses/viruses-and-spyware/malhckpka.html

Posted: Tue Feb 09, 2010 2:19 pm

Released Buster Sandbox Analyzer 1.11.

Change list:

Added File Hex Editor.

Version 1.11 includes a built-in hex editor.

Posted: Fri Feb 12, 2010 11:48 pm

Released Buster Sandbox Analyzer 1.12.

Change list:

Added File Scanner.

Version 1.12 includes a feature to submit files to VirusTotal to be scanned.

Posted: Wed Feb 17, 2010 8:16 pm

DarkStalker, from Wilder´s forum, asked me if Buster Sandbox Analyzer works under x64. Well, I don´t have a x64 system so I asked for help and nick s was so kind to test the tool for me.

nick s reported that packet sniffer, view filediff/regdiff/etc, file hash, hex editor, etc etc works fine. Everything works except LOG_API.DLL.

Talking with tzuk about making a 64-bit version of the DLL he told me LOG_API should work fine in x64 systems: 32-bit LOG API DLL should be injected into the 32-bit malware process just fine, with the same old InjectDll setting.

nick s: the bottom line is that if LOG_API didn´t work is because something was not correctly configured. Could you comment how you injected the DLL? Maybe tzuk can notice the problem.

Posted: Wed Feb 17, 2010 9:55 pm

Buster wrote:

nick s: the bottom line is that if LOG_API didn´t work is because something was not correctly configured. Could you comment how you injected the DLL? Maybe tzuk can notice the problem.

The good news is that I had specified the wrong path to LOG_API.DLL in Sandboxie.ini. I omitted "(x86)".

The bad news is that now, with the correct path, all sandboxed apps now crash with an error like this...

Quote:

The instruction at 0x73f34b99 referenced memory at 0x00000008. The memory could not be read. Click on OK to terminate the program.

The "instruction at" varies every time but the "referenced memory" is always the same.

Posted: Thu Feb 18, 2010 1:29 am

as far as i know, 32 bit dll cant be injected in a 64 bit process, u would need a 64 bit dll for that...

Posted: Thu Feb 18, 2010 10:37 am

nick s wrote:

The bad news is that now, with the correct path, all sandboxed apps now crash with an error like this...

I can reproduce this problem, I've sent some technical information to Buster, I hope it will help to resolve this problem.

Posted: Thu Feb 18, 2010 5:17 pm

Mark_ wrote:

as far as i know, 32 bit dll cant be injected in a 64 bit process, u would need a 64 bit dll for that...

Sandboxie will not inject 32-bit version of the DLL to 64-bit processes, only 32-bit ones.

Posted: Thu Feb 18, 2010 6:11 pm

tzuk: thank you for the information!

I compiled the DLL I sent you and nick s confirmed that everything is working fine now. Smile

Posted: Fri Feb 19, 2010 11:22 am

I can also confirm now the DLL works fine. But I noticed a peculiar thing: If BSA.EXE is running with UAC-elevated Administrator privileges, it can only "see" API calls from sandboxed programs that are also running with UAC-elevated privileges. It does not see API calls from sandboxed programs running with normal privileges.

On the other hand if BSA.EXE is running with normal privileges, then it can see API calls from sandboxed programs that are running either with normal or admin privileges.

This is probably due to a UAC mechanism called UIPI:

http://en.wikipedia.org/wiki/User_Interface_Privilege_Isolation

You can make a note about this in the documentation, or you might be able to have BSA.EXE call the function ChangeWindowMessageFilter to make window communication possible:

http://msdn.microsoft.com/en-us/library/ms632675%28VS.85%29.aspx

Posted: Fri Feb 19, 2010 12:18 pm

tzuk wrote:

You can make a note about this in the documentation, or you might be able to have BSA.EXE call the function ChangeWindowMessageFilter to make window communication possible:

http://msdn.microsoft.com/en-us/library/ms632675%28VS.85%29.aspx

MSDN says:

Quote:

Adds or removes a message from the User Interface Privilege Isolation (UIPI) message filter.

I have looked for an example of ChangeWindowMessageFilter and found this:

http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/0ccf84fd-b78d-45b3-9b79-7366003cb19d

ChangeWindowMessageFilter(WM_DROPFILES, MSGFLT_ADD);

What message should be used in case BSA is running with UAC-elevated Administrator privileges so it can see API calls from sandboxed programs running with normal privileges?

Would be WM_COPYDATA?

That´s the message I use to communite from LOG_API.DLL to BSA.EXE through WMCopyData.