Page 1 of 4

SandDiff

Posted: Tue Sep 22, 2009 1:21 am
by Buster
Hi.

I asked majoMo to include some new features in his tool but sadly he is not coding it himself, so I decided to try to code a similar tool. I´m not a real coder so don´t be so hard with me.

You can find my tool (I named it SandDiff meanwhile I don´t find a better name) here:

http://www.megaupload.com/?d=BOA44FQ3

It´s very simple to use:

1.- First you must define the path to the sandbox folder you want to process. e.g. Defaultbox would be something like: C:\SANDBOX\UserName\DefaultBox

Here there is a difference with majoMo´s tool. His tool will process all sandboxes when checking for file differences. My tool only check for a specified sandbox.

2.- Before pressing "Step 1" button you must sandbox something, e.g. CALC.EXE.

This is the way to initialize the comparision process. It´s like the "before" state of the sandbox.

3.- Before pressing "Step 2" button you must sandbox whatever you want.

When you are done terminate all proceses and then click the "Step 2" button.

Then we will get the "after" state of the sandbox and we are ready to compare the "before" and the "after".

4.- File differences will be saved to FileDiff.TXT and registry differences to RegDiff.TXT.

2 new buttons will apear: one to launch a viewer to see file differences and other to launch a viewer to see registry differences.

The viewer will be available meanwhile you don´t close the application or don´t restart it.

After closing the tool several temporal files will be deleted and only FileDiff.TXT and RegDiff.TXT will remain on disk.

The tool has a "Restart" function in the "Menu". That way you can do a new comparision without leaving the application.

SandDiff will remember last used sandbox. For this the registry is used to store the required information.

I plan to improve the tool. TODO list would be:

+ Feature to switch from registry to file differences and viceversa directly from viewer

+ Feature to exclude files and registry entries from differences

If anyone has any other ideas just let me know.

P.S. Next version will have enabled the folder browser button.

Posted: Tue Sep 22, 2009 6:41 am
by Guest
Hi Buster.

Hey, it's pretty cool: reminds me a'la ZSoft Uninstaller for SBIE ;)
It worked ok for me, but unfortunately I've already seen some posts about software unprotection hacks (namely - trials) using SBIE and diff-tools...
Anyway, I do think it really depends on people only.

Cheers

Posted: Tue Sep 22, 2009 6:52 am
by Buster
Anonymous wrote:It worked ok for me, but unfortunately I've already seen some posts about software unprotection hacks (namely - trials) using SBIE and diff-tools...
Don´t pay attention to everything you hear.

Posted: Tue Sep 22, 2009 7:25 am
by user2
Very poor hosting

Posted: Tue Sep 22, 2009 7:27 am
by Buster
user2 wrote:Very poor hosting
Do you mean megaupload, the host of the binary file?

Posted: Tue Sep 22, 2009 12:57 pm
by Ruhe
Hi Buster,

cool, thanks for this! :)

- Is it by design that the user can enter text in the two viewer panes? What I mean, they aren't read-only.
SandDiff will remember last used sandbox. For this the registry is used to store the required information.
Please change it, please don't use the registry. Store the data in the programs folder as ini/xml or whatever.

- The button right of the edit field does nothing, thought it would open a "Select folder" dialog.

- Start the program the first time and press the Step 1 button, an access violation window appears.

- You should also mention that the sandbox option "Automatically delete contents of sandbox" has to be disabled.

Posted: Tue Sep 22, 2009 1:20 pm
by Buster
Ruhe wrote:Hi Buster,

cool, thanks for this! :)
I´m glad you like it.
Ruhe wrote:- Is it by design that the user can enter text in the two viewer panes? What I mean, they aren't read-only.
Yes, it´s by design. I must change that, I know.
Ruhe wrote:-Please change it, please don't use the registry. Store the data in the programs folder as ini/xml or whatever.
No problem.
Ruhe wrote:- The button right of the edit field does nothing, thought it would open a "Select folder" dialog.
Read my P.S. from my first post. :wink:
Ruhe wrote:- Start the program the first time and press the Step 1 button, an access violation window appears.
Only first time? Not on second and later?
Ruhe wrote:- You should also mention that the sandbox option "Automatically delete contents of sandbox" has to be disabled.


I consider this tool is for advanced users. A user like that one does not need that kind of obvious information. :wink:

Posted: Tue Sep 22, 2009 1:52 pm
by Buster
I just uploaded a new release of SandDiff, version 1.01.

People interested can get it from: http://www.megaupload.com/?d=2WB3E6BP

List of modifications and new features:

+ I changed the GUI a bit, mainly messages.

+ Version 1.01 does not save information to registry. Now it´s saved to an .INI file per request of Ruhe.

+ The button to launch a folder navigator works now.

+ Viewer panels are now read only. This mean you can not edit contents.

+ I added an option to keep "before" and "after" temporal files. They are used to generate FileDiff.TXT and RegDiff.TXT and they are in text format too. As they may be useful for someone I give the option to easily keep them.

Just one note: The feature is to avoid deleting those files (RegHive1/RegHive2 and FileList1/FileList2) on exit.
If someone does several processes the files should be kept manually. (just copy them apart)

+ I have added an option to simulate a totally empty Sandbox. (No registry values and only RegHive and RegHive.LOG files)

So now SandDiff can compare differences between a sandbox in 2 different moments or the changes produced to a totally empty sandbox.

+ From this version the viewer is called from a single button. From inside the viewer the user can switch from File to Registry view and viceversa.

+ FileDiff.TXT is now more detailed. From version 1.01 it will show removed files (marked with a "-") and new files (marked with a "+" sign)


Probably I miss something but that´s more or less what I changed from version 1.0 to 1.01.

Just let me know if anyone finds a bug or have any suggestion or feature request.

In my TODO list I got:

+ Apart of showing deleted/new files I want to include a feature to compare file contents so modified files can be reported too: useful to catch virus file modifications.

+ I want to add a feature to exclude from differences user defined files and probably registry values too.

Posted: Tue Sep 22, 2009 3:27 pm
by Ruhe
Buster wrote:
Ruhe wrote:- Start the program the first time and press the Step 1 button, an access violation window appears.
Only first time? Not on second and later?
In v1.01 everytime I press [Before], even after closing the app and restarting it.

Image

Posted: Tue Sep 22, 2009 5:33 pm
by Buster
SandDiff 1.01 release 2: http://www.megaupload.com/?d=4SG2IV83

It fixes the minor bug Ruhe found.

Posted: Tue Sep 22, 2009 5:37 pm
by Ruhe
Buster wrote:It fixes the minor bug Ruhe found.
Yes, fixed with 1.01 release 2

Posted: Tue Sep 22, 2009 5:43 pm
by Buster
Ruhe has been so kind to host SandDiff.

Here you have the address to main page: http://sanddiff.qnea.de

Here you have a link to last version: http://sanddiff.qnea.de/sanddiff.rar

Posted: Wed Sep 23, 2009 5:00 pm
by Buster
I thought that I would like that SandDiff becomes something more than just a program showing differences between 2 sandboxes.

My idea is to make a program that after comparing differences can evaluate if the sandboxed application(s) may have performed malicious actions.

Before coding that part I want to finish the part getting differences.

I´m interested in active testers. Anyone?

Posted: Thu Sep 24, 2009 7:09 am
by Ruhe
It would be funny to give it a try.

Posted: Thu Sep 24, 2009 12:24 pm
by Buster
tzuk:

At common feature requests page (http://www.sandboxie.com/index.php?Comm ... reRequests) you comment:
Log program actions, file access and registry writes, and/or do behavior analysis on programs

Not likely: There are tools which excel at these tasks, but Sandboxie is not designed for that. Use the mix and match approach: Use an activity trace tool to analyze the behavior of a program running under the supervision of Sandboxie.
I pretend SandDiff covers that feature request.

I hope you can help me with the feature request I just did. It would help me a lot!