Buster Sandbox Analyzer

Buster · Post by **Buster** » Mon Dec 07, 2009 11:32 pm

nick s wrote:I'm working on converting Malware Defender's default registry rules for use in BSA. Wildcards would also be useful in dealing with something like multiple ControlSet* entries:

\SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath
\SYSTEM\ControlSet*\Control\Lsa; Authentication Packages
\SYSTEM\ControlSet*\Control\Lsa; Notification Packages

Ok, I will add wildcard (*) support for:

[AutoStart_Registry_Created_or_Modified]

and

[Custom_Registry_Entries]

nick s wrote:Note that the"; " preceding a value is still part of Malware Defender's syntax. Would the following be a correct conversion?

from...

\SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath

to...

\SYSTEM\ControlSet*\Control\BootVerificationProgram\ImagePath<->ImagePath

Yes, apart of the "*" which is not supported yet, the rest would be a valid conversion.

nick s · Post by **nick s** » Mon Dec 07, 2009 11:48 pm

Buster wrote:Ok, I will add wildcard (*) support for:

[AutoStart_Registry_Created_or_Modified]

and

[Custom_Registry_Entries]

Thank you

.

Buster · Post by **Buster** » Wed Dec 09, 2009 9:14 am

Released Buster Sandbox Analyzer 1.04.

Change list:

Added support for network shares

Added a feature to allow wildcards in BSA.DAT

Added a feature to ignore when sandbox folder is not empty

Added a feature to check for updates on start

Updated LOG_API library

Buster · Post by **Buster** » Wed Dec 09, 2009 9:16 am

nick s: Try version 1.04 and let me know if the wildcard feature works as expected.

Do you plan sharing Malware Defender's default registry rules? It would be nice!

nick s · Post by **nick s** » Wed Dec 09, 2009 2:18 pm

Buster wrote:nick s: Try version 1.04 and let me know if the wildcard feature works as expected.

Working well so far. For example, machine\system\*Control*\Control\Session Manager\* captured the following deletions:

machine\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\CriticalSectionTimeout = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\ExcludeFromKnownDlls = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\GlobalFlag = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\HeapDeCommitFreeBlockThreshold = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\HeapDeCommitTotalFreeThreshold = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\HeapSegmentCommit = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\HeapSegmentReserve = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\NumberOfInitialSessions = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\ObjectDirectories = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\ProcessorControl = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\ProtectionMode = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\ResourceTimeoutCount = deleted value key
machine\SYSTEM\ControlSet001\Control\Session Manager\SetupExecute = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\BootExecute = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\CriticalSectionTimeout = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\ExcludeFromKnownDlls = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\GlobalFlag = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\HeapDeCommitFreeBlockThreshold = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\HeapDeCommitTotalFreeThreshold = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\HeapSegmentCommit = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\HeapSegmentReserve = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\NumberOfInitialSessions = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\ObjectDirectories = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\ProcessorControl = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\ProtectionMode = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\ResourceTimeoutCount = deleted value key
machine\SYSTEM\ControlSet002\Control\Session Manager\SetupExecute = deleted value key

Buster wrote:Do you plan sharing Malware Defender's default registry rules? It would be nice!

Of course

. Since there are about 200 rules, it will take me a couple of more days to convert and organize them.

Buster · Post by **Buster** » Wed Dec 09, 2009 3:05 pm

Glad to hear it works fine!

Nobody asked to use wildcards more than 1 time per line but luckily I added the feature.

In your example the search string could be optimized from:

machine\system\*Control*\Control\Session Manager\*

to:

machine\system\Control*\Control\Session Manager

or at least to:

machine\system\*Control*\Control\Session Manager

Both would be equivalent as final "*" is ignored. This is done because I do the search to check if the string is contained, not equivalent.

Nice to hear you will share the rules!

The problem with MD´s rules is you miss the reason to add them.

nick s · Post by **nick s** » Wed Dec 09, 2009 11:39 pm

Buster wrote:The problem with MD´s rules is you miss the reason to add them.

Do you mean the description that follows "<->"?

What conversion/wildcard recommendations do you have for the following keys/subkeys?

Code: Select all

HKEY_USERS
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-18
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001
HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes

Only the contents of the "Classes" subkey is unique.

nick s · Post by **nick s** » Thu Dec 10, 2009 12:20 am

Buster, is it possible to implement a wildcard/switch that permits BSA to log all registry modifications?

Buster · Post by **Buster** » Thu Dec 10, 2009 1:18 am

nick s wrote:
Buster wrote:The problem with MD´s rules is you miss the reason to add them.
Do you mean the description that follows "<->"?

Yes, the description that follows "<->".

Does Malware Defender´s rules give an explanation about why they included that keys? If MD doesn´t include it, you will have to introduce it yourself.

nick s wrote:What conversion/wildcard recommendations do you have for the following keys/subkeys?
Code: Select all
HKEY_USERS
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-18
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001
HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes
Only the contents of the "Classes" subkey is unique.

I must check this. HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER are supported right now but others are not. This happens because Sandboxie "translates" the names of the keys to his own format.

Anyway, as search is done to check if strings are contained, I suggest you put in BSA.DAT first the longest string:

HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes

then:

HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001

and rest literally:

HKEY_USERS\S-1-5-18
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20

Does it make sense to you?

Buster · Post by **Buster** » Thu Dec 10, 2009 1:24 am

nick s wrote:Buster, is it possible to implement a wildcard/switch that permits BSA to log all registry modifications?

I don´t understand what you mean. BSA already logs all registry modifications.

nick s · Post by **nick s** » Fri Dec 11, 2009 12:46 am

Buster wrote:I must check this. HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER are supported right now but others are not. This happens because Sandboxie "translates" the names of the keys to his own format.

Anyway, as search is done to check if strings are contained, I suggest you put in BSA.DAT first the longest string:

HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes

then:

HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001

and rest literally:

HKEY_USERS\S-1-5-18
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20

Does it make sense to you?

Makes sense. I will try it out.

nick s · Post by **nick s** » Fri Dec 11, 2009 12:57 am

Buster wrote:
nick s wrote:Buster, is it possible to implement a wildcard/switch that permits BSA to log all registry modifications?
I don´t understand what you mean. BSA already logs all registry modifications.

Sorry for my confusion. BSA logs all registry mods to RegDiff.TXT while Malware Analyzer (Analysis.TXT) filters its output through the registry rules set in BSA.DAT. Is that correct?

Buster · Post by **Buster** » Fri Dec 11, 2009 2:22 am

nick s wrote:Sorry for my confusion. BSA logs all registry mods to RegDiff.TXT while Malware Analyzer (Analysis.TXT) filters its output through the registry rules set in BSA.DAT. Is that correct?

That´s correct.

Analysis.TXT is built with the matches from BSA.DAT at RegDiff.TXT.

Buster · Post by **Buster** » Sun Dec 13, 2009 4:17 pm

Released Buster Sandbox Analyzer 1.05.

Change list:

Added "Assorted suspicious actions"

Fixed several bugs in Buster Sandbox Analyzer

Updated LOG_API library

Buster · Post by **Buster** » Sun Dec 13, 2009 4:33 pm

nick s: You asked about

HKEY_USERS
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-18
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001
HKEY_USERS\S-1-5-21-25130506-776034094-9161161-1001_Classes

Well, I found that if you modify something in HKEY_USERS\S-1-5-18 the change will appear under HKEY_USERS\.DEFAULT.

That means that any entry in BSA.DAT must reference HKEY_USERS\.DEFAULT and not HKEY_USERS\S-1-5-18 because that one will never appear in RegDiff.TXT.

There are a few other cases like this. e.g.

HKEY_CLASSES_ROOT changes will appear under HKEY_CURRENT_USER\software\classes.

The same happens with HKEY_CURRENT_CONFIG.

In case of doubt it´s better to make a test and check where is done the change.

Sandboxie Support

Buster Sandbox Analyzer

Who is online