SandDiff
Hi.
I just uploaded SandDiff 1.02. The URL is: http://sanddiff.qnea.de/sanddiff.rar
The changes I introduced are:
+ SandDiff performs a file modification checking so modificated files will be reported in FileDiff.TXT.
I didn´t explain it but in the reports (FileDiff, RegDiff, ...) there are 3 symbols initiating each line
"+" means that a file or registry entry was added.
"~" means that a file or registry entry was modified.
"-" means that a file or registry entry was removed.
+ I introduced a new button with the label "Meanwhile".
At the moment this button is used to capture a log of connections so SandDiff can compare opened ports.
+ I added a feature to easily recover already used sandbox folders.
+ The switch button of the viewer will change from File -> Registry -> Ports (if available) and then back to File again.
+ RegHive and RegHive.LOG are automatically discarded from file difference comparisions.
As usual I may miss something. Just try the new version and drop your comments.
Actually the TODO list contains:
+ Feature to exclude from differences user defined files, registry and maybe port values too.
+ Include a module that analyzes all the information obtained from comparisions and presents a malware
behaviour evaluation.
I just uploaded SandDiff 1.02. The URL is: http://sanddiff.qnea.de/sanddiff.rar
The changes I introduced are:
+ SandDiff performs a file modification checking so modificated files will be reported in FileDiff.TXT.
I didn´t explain it but in the reports (FileDiff, RegDiff, ...) there are 3 symbols initiating each line
"+" means that a file or registry entry was added.
"~" means that a file or registry entry was modified.
"-" means that a file or registry entry was removed.
+ I introduced a new button with the label "Meanwhile".
At the moment this button is used to capture a log of connections so SandDiff can compare opened ports.
+ I added a feature to easily recover already used sandbox folders.
+ The switch button of the viewer will change from File -> Registry -> Ports (if available) and then back to File again.
+ RegHive and RegHive.LOG are automatically discarded from file difference comparisions.
As usual I may miss something. Just try the new version and drop your comments.
Actually the TODO list contains:
+ Feature to exclude from differences user defined files, registry and maybe port values too.
+ Include a module that analyzes all the information obtained from comparisions and presents a malware
behaviour evaluation.
I have uploaded SandDiff 1.03.
Changes:
+ Certain files will be stored under a folder named "Config".
+ I added the exclusion list feature.
The user can define what strings must be discarded from difference files. String search is case-insensitive.
With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.
Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.
My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".
Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.
I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.
Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.
Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.
Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.
People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.
There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.
It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.
Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.
Meanwhile test as much as possible the current version and send your feedback!
Changes:
+ Certain files will be stored under a folder named "Config".
+ I added the exclusion list feature.
The user can define what strings must be discarded from difference files. String search is case-insensitive.
With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.
Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.
My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".
Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.
I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.
Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.
Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.
Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.
People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.
There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.
It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.
Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.
Meanwhile test as much as possible the current version and send your feedback!
Looks like I get an ACCESS DENIED error for 'C:\Windows\System32\NETSTAT.EXE' ... probably because it doesn't exist there on Win7. I have that file here:
C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7600.16385_none_329d49cdb031b824\NETSTAT.EXE
C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7600.16385_none_329d49cdb031b824\NETSTAT.EXE
Code: Select all
370 9:38:47.4284740 PM sanddiff.exe 908 CreateFile C:\Windows\System32 SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
371 9:38:47.4285282 PM sanddiff.exe 908 QueryDirectory C:\Windows\System32\netstat.exe SUCCESS Filter: netstat.exe, 1: NETSTAT.EXE
372 9:38:47.4285768 PM sanddiff.exe 908 CloseFile C:\Windows\System32 SUCCESS
373 9:38:47.4294792 PM sanddiff.exe 908 QueryOpen C:\Windows\System32\NETSTAT.EXE FAST IO DISALLOWED
374 9:38:47.4295919 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
375 9:38:47.4297151 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
376 9:38:47.4298660 PM sanddiff.exe 908 QueryFileInternalInformationFile C:\Windows\System32\NETSTAT.EXE SUCCESS IndexNumber: 0x1000000004894
377 9:38:47.4298887 PM sanddiff.exe 908 CloseFile C:\Windows\System32\NETSTAT.EXE SUCCESS
378 9:38:47.4300612 PM sanddiff.exe 908 QueryBasicInformationFile C:\Windows\System32\NETSTAT.EXE SUCCESS CreationTime: 7/13/2009 6:55:12 PM, LastAccessTime: 7/13/2009 6:55:12 PM, LastWriteTime: 7/13/2009 8:14:27 PM, ChangeTime: 7/28/2009 3:33:19 PM, FileAttributes: A
379 9:38:47.4300766 PM sanddiff.exe 908 CloseFile C:\Windows\System32\NETSTAT.EXE SUCCESS
380 9:38:47.4302429 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE ACCESS DENIED Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a
381 9:38:47.4303495 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
382 9:38:47.4304819 PM sanddiff.exe 908 QueryFileInternalInformationFile C:\Windows\System32\NETSTAT.EXE SUCCESS IndexNumber: 0x1000000004894
383 9:38:47.4305022 PM sanddiff.exe 908 CloseFile C:\Windows\System32\NETSTAT.EXE SUCCESS
Thanks for the report. I will change it.
Edit: I just checked my Windows 7 and NETSTAT.EXE is in Windows\System32 folder.
The problem is that for a reason I don´t know, I can not call it directly from my program.
The workaround I did was to copy NETSTAT.EXE to SandDiff´s folder and execute it from there.
Edit: I just checked my Windows 7 and NETSTAT.EXE is in Windows\System32 folder.
The problem is that for a reason I don´t know, I can not call it directly from my program.
The workaround I did was to copy NETSTAT.EXE to SandDiff´s folder and execute it from there.
Don´t you have NETSTAT.EXE in your Windows\System32 folder?wraithdu wrote:Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...
How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?
I have it there and in the path you mentioned.
ShellExecute but the problem is that the file seems to be in use.
Hmm, weird. My file manager shows netstat in both System32 and that winsxs directory. However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.
I installed Windows 7 just a few days ago and I didn´t have time yet to take a close look at it but it´s obvious that there are different things compared to XP. (I never wanted to try Vista)
When I try to open NETSTAT.EXE (both from systems32 and winsxs folders) I get in return a "file in use" but I can copy the file to other folder.
Meanwhile I don´t understand why it happens the workaround should work anyway.
When I try to open NETSTAT.EXE (both from systems32 and winsxs folders) I get in return a "file in use" but I can copy the file to other folder.
Meanwhile I don´t understand why it happens the workaround should work anyway.
wraithdu, I have uploaded a new version:
http://sanddiff.qnea.de/sanddiff.rar
Let me know if the bug is gone, please.
http://sanddiff.qnea.de/sanddiff.rar
Let me know if the bug is gone, please.
Using the latest Everything alpha build (1.2.1.432) here on Vista, it appears that Everything is ignoring the contents of \System32.wraithdu wrote:However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.
First edit: I reverted back to build 1.2.1.371 and get the same result.
Final edit: It turns out that C:\Windows\System32\netstat.exe is a hardlink...
Everything's developer wrote:Only the first hardlink of a file will be indexed and monitored.
Files that are not the first hardlink will not be indexed or monitored.
This is a limitation of the USN Change Journal.
I have plans to index all hard links in the future.
However, you will have to update the indexes manually as the USN Change Journal does not support hardlinks.
Last edited by nick s on Tue Oct 13, 2009 11:18 pm, edited 3 times in total.
Nick
netstat -anowraithdu wrote:Sweet, works well.
What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?
ShellExecute, right.
It´s something like this (Delphi code)
Code: Select all
FillChar(SEInfo, SizeOf(SEInfo), 0) ;
SEInfo.cbSize := SizeOf(TShellExecuteInfo) ;
with SEInfo do
begin
fMask := SEE_MASK_NOCLOSEPROCESS;
Wnd := Application.Handle;
lpFile := PChar(ExecuteFile) ;
lpParameters := PChar(Parameters);
nShow := SW_NORMAL;
end;
if ShellExecuteEx(@SEInfo) then
begin
repeat
Application.ProcessMessages;
GetExitCodeProcess(SEInfo.hProcess, ExitCode) ;
until (ExitCode <> STILL_ACTIVE) or Application.Terminated;
end;
Who is online
Users browsing this forum: No registered users and 0 guests