Buster Sandbox Analyzer

[majoMo]

Your research work is correct:

HKLM and HKU contain all registry data. HKCR, HKCU and HKCC are just links.

Code: Select all

Root Key  	Equivalent  

HKCR 		HKCU\Software\Classes + HKLM\SOFTWARE\Classes 
HKCU		HKU\SID 
HKCC 		HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current

[nick s]

Well, I found that if you modify something in HKEY_USERS\S-1-5-18 the change will appear under HKEY_USERS\.DEFAULT......

I see that when I run List Registry Links unsandboxed...

Code: Select all

c:\files\listregistrylinks>ListRegistryLinks.exe hku
"hku\S-1-5-21-25130506-776034094-9161161-1001\Software\Classes" -> "HKU\S-1-5-21
-25130506-776034094-9161161-1001_Classes"
"hku\Sandbox_Nick_DefaultBox\user\current\software\classes" -> "HKU\Sandbox_Nick
_DefaultBox\user\current_classes"
"hku\S-1-5-18" -> "HKU\.Default"

c:\files\listregistrylinks>

It's interesting to watch the continuous symbolic registry link activity when running ListRegistryLink sandboxed.

[bs1]

Buster,

It looks like you're getting some notoriety. (Scroll down to the "Tests and malware analysis tools" section.) Congrats.

[Buster]

I like BSA has its own section because that means it has some originality.

[Ruhe]

As hoster of BSA I can confirm this, as I see at the traffic on the domain.

[jumanji]

Great buster keep up the good work.

[Buster]

Buster Sandbox Analyzer 1.06 has been released.

Change list:


Added Sandboxie hidden capabilities

Improved BSA.DAT (thanks to nick s)

Fixed a bug in Buster Sandbox Analyzer

LOG_API library completely rewritten

[Buster]

Note for the people interested in hiding Sandboxie:

Read BSA.PDF to know how to hide Sandboxie. It´s not necessary you run BSA to hide Sandboxie. It´s only necessary you inject LOG_API.DLL and run the driver to hide processes.

[hotmog]

Hi Buster

I downloaded BSA today, and have followed the instructions to install and use it, including renaming LOG_API.DLL to an aleatory name as recommended. All the files are in a folder called "BSA" in the C:\ root directory.

I've created a new sandbox called BSA specifically for when I want to run the analyzer, which has auto-delete turned off. However I also added the two command lines:

InjectDll=c:\bsa\log_api.dll (with log_api.dll amended to its aleatory name)
OpenWinClass=TFormBSA

to the Defaultbox settings.

The Defaultbox is configured to force iexplore.exe to run within it whenever IE is opened outside the sandbox. Now, whenever I open IE, I get an SBIE2313 error "Could not execute SandboxieRpcSs.exe", and SBIE2204 "Cannot start SandboxieRpcSs service".

However, if I terminate all sandboxed processes, then right-click on the Defaultbox and select Run Web Browser, IE opens normally. Once that has happened, I can click on the IE icon from the taskbar to launch another instance of IE OK, with no errors.

Any idea what's causing this, and how it can be resolved?

[nick s]

Any idea what's causing this, and how it can be resolved?

During the 1.06 betas, Buster explained the issue this way: log_api.dll intercepts GetModuleHandle requests for SbieDll.dll and returns "nothing found". This is desirable when running sandboxed malware that tries to detect Sandboxie. Unfortunately, it breaks forced programs. It's best to have a dedicated sandbox for use with BSA and set another sandbox to manage your forced programs.

[hotmog]

Thanks for that info, Nick. I've now removed those two command lines from the Defaultbox configuration settings.

Note for the people interested in hiding Sandboxie:

Read BSA.PDF to know how to hide Sandboxie. It´s not necessary you run BSA to hide Sandboxie. It´s only necessary you inject LOG_API.DLL and run the driver to hide processes.

Just tried it - I rather like that! Surprisingly, it still runs in "stealth" mode even though only the Defaultbox is opened, which doesn't now have the InjectDll command.

I don't suppose there's any chance of enabling some sort of facility to retain/load the initialization parameters - ie driver path & process names - in a configuration file, rather than having to store them in a text file and paste them into the HideDriverGUI.exe program every time I want to run it? Also will it work with non-Sandboxie processes (I was thinking of Shadow Defender, for example)?

[Buster]

This feature has been requested to the guys who coded the driver to hide processes. Unfortunately they didn´t reply to it.

You can know more about the driver here:

http://www.codeproject.com/KB/system/hide-driver.aspx

Maybe someone with more experience than me in C++ would be able to add the feature.

I must say also that hiding Sandboxie is like a process in two steps. The driver to hide processes is the first part and injecting LOG_API.DLL would be the second.

I suggest you create a sandbox specifically for BSA and you add the injection of LOG_API.DLL in that sandbox and not in the defaultbox, where it will create problems with your forced programs.

[hotmog]

Hi Buster

I have already created a sandbox specifically for BSA, which has the InjectDll command for LOG_API.DLL. That command has been removed from the Defaultbox, and I no longer have an issue with IE. That is why I am surprised that the Sandboxie processes still remain hidden when only the Defaultbox is opened (after rebooting & rerunning HideDriverGUI.exe).

I don't understand the significance of the inject dll stage. I had a look at your link, but I'm no C++ programmer either, so I'm afraid I'm none the wiser.

[Buster]

Hi Buster

I have already created a sandbox specifically for BSA, which has the InjectDll command for LOG_API.DLL. That command has been removed from the Defaultbox, and I no longer have an issue with IE. That is why I am surprised that the Sandboxie processes still remain hidden when only the Defaultbox is opened (after rebooting & rerunning HideDriverGUI.exe).

I don't understand the significance of the inject dll stage. I had a look at your link, but I'm no C++ programmer either, so I'm afraid I'm none the wiser.

The driver to hide processes takes care of the "more visible" components of Sandboxie: Sbiesvc.exe, SbieCtrl.exe, SandboxieDComLaunch.exe and SandboxieRpcSs.exe.

I mean that when you hide Sandboxie components you easily can check if they are hidden just opening the Task Manager and checking if they appear there.

But have you tried to check if SbieDll.Dll is visible when you don´t inject LOG_API.DLL? Do you know how to check that?

I suggest two programs to check:

1) Process explorer

http://technet.microsoft.com/en-us/sysi ... 96653.aspx

2) VMMap

http://technet.microsoft.com/en-us/sysi ... 35533.aspx

You can test this way:

Don´t inject LOG_API.DLL and sandbox NOTEPAD.EXE. Then open Process Explorer and select NOTEPAD.EXE process. Go to "View" -> "Show Lower Panel". Then "View" -> "Lower Pane View" -> "DLLs".

SbieDll.dll will be listed.

You can close Process Explorer but keep the sandboxed instance of NOTEPAD.EXE. Run VMMap and select NOTEPAD.EXE. Again you will see SbieDll.Dll

LOG_API.DLL makes invisibile SbieDll.Dll for such programs.

Test and let me know if that´s right.

[hotmog]

Hi Buster

Yes, you're dead right! Previously I only did a CTRL/ALT/DEL to check the processes, but when I ran Process Explorer using your instructions, SbieDll.Dll is indeed still visible.

Clearly, running Sandboxie in "stealth mode" by default is not going to be a feasible option for me. My wife uses this PC under her own user account; she neither knows, nor wishes to know, the ins and outs of Sandboxie. So the fact that Internet Explorer is sandboxed when she connects to the internet has to be completely transparent, hence IE being a forced program in the Defaultbox.

At least I understand a lot more now than I did earlier how to use your excellent add-on facility to Sandboxie, and can always run it completely "hidden" using my dedicated sandbox should I feel the urge. Many thanks for your sound advice.