Hi.
I asked majoMo to include some new features in his tool but sadly he is not coding it himself, so I decided to try to code a similar tool. I´m not a real coder so don´t be so hard with me.
You can find my tool (I named it SandDiff meanwhile I don´t find a better name) here:
http://www.megaupload.com/?d=BOA44FQ3
It´s very simple to use:
1.- First you must define the path to the sandbox folder you want to process. e.g. Defaultbox would be something like: C:\SANDBOX\UserName\DefaultBox
Here there is a difference with majoMo´s tool. His tool will process all sandboxes when checking for file differences. My tool only check for a specified sandbox.
2.- Before pressing "Step 1" button you must sandbox something, e.g. CALC.EXE.
This is the way to initialize the comparision process. It´s like the "before" state of the sandbox.
3.- Before pressing "Step 2" button you must sandbox whatever you want.
When you are done terminate all proceses and then click the "Step 2" button.
Then we will get the "after" state of the sandbox and we are ready to compare the "before" and the "after".
4.- File differences will be saved to FileDiff.TXT and registry differences to RegDiff.TXT.
2 new buttons will apear: one to launch a viewer to see file differences and other to launch a viewer to see registry differences.
The viewer will be available meanwhile you don´t close the application or don´t restart it.
After closing the tool several temporal files will be deleted and only FileDiff.TXT and RegDiff.TXT will remain on disk.
The tool has a "Restart" function in the "Menu". That way you can do a new comparision without leaving the application.
SandDiff will remember last used sandbox. For this the registry is used to store the required information.
I plan to improve the tool. TODO list would be:
+ Feature to switch from registry to file differences and viceversa directly from viewer
+ Feature to exclude files and registry entries from differences
If anyone has any other ideas just let me know.
P.S. Next version will have enabled the folder browser button.
SandDiff
-
Guest
Hi Buster,
cool, thanks for this!
- Is it by design that the user can enter text in the two viewer panes? What I mean, they aren't read-only.
- The button right of the edit field does nothing, thought it would open a "Select folder" dialog.
- Start the program the first time and press the Step 1 button, an access violation window appears.
- You should also mention that the sandbox option "Automatically delete contents of sandbox" has to be disabled.
cool, thanks for this!
- Is it by design that the user can enter text in the two viewer panes? What I mean, they aren't read-only.
Please change it, please don't use the registry. Store the data in the programs folder as ini/xml or whatever.SandDiff will remember last used sandbox. For this the registry is used to store the required information.
- The button right of the edit field does nothing, thought it would open a "Select folder" dialog.
- Start the program the first time and press the Step 1 button, an access violation window appears.
- You should also mention that the sandbox option "Automatically delete contents of sandbox" has to be disabled.
I´m glad you like it.Ruhe wrote:Hi Buster,
cool, thanks for this!
Yes, it´s by design. I must change that, I know.Ruhe wrote:- Is it by design that the user can enter text in the two viewer panes? What I mean, they aren't read-only.
No problem.Ruhe wrote:-Please change it, please don't use the registry. Store the data in the programs folder as ini/xml or whatever.
Read my P.S. from my first post.Ruhe wrote:- The button right of the edit field does nothing, thought it would open a "Select folder" dialog.
Only first time? Not on second and later?Ruhe wrote:- Start the program the first time and press the Step 1 button, an access violation window appears.
Ruhe wrote:- You should also mention that the sandbox option "Automatically delete contents of sandbox" has to be disabled.
I consider this tool is for advanced users. A user like that one does not need that kind of obvious information.
I just uploaded a new release of SandDiff, version 1.01.
People interested can get it from: http://www.megaupload.com/?d=2WB3E6BP
List of modifications and new features:
+ I changed the GUI a bit, mainly messages.
+ Version 1.01 does not save information to registry. Now it´s saved to an .INI file per request of Ruhe.
+ The button to launch a folder navigator works now.
+ Viewer panels are now read only. This mean you can not edit contents.
+ I added an option to keep "before" and "after" temporal files. They are used to generate FileDiff.TXT and RegDiff.TXT and they are in text format too. As they may be useful for someone I give the option to easily keep them.
Just one note: The feature is to avoid deleting those files (RegHive1/RegHive2 and FileList1/FileList2) on exit.
If someone does several processes the files should be kept manually. (just copy them apart)
+ I have added an option to simulate a totally empty Sandbox. (No registry values and only RegHive and RegHive.LOG files)
So now SandDiff can compare differences between a sandbox in 2 different moments or the changes produced to a totally empty sandbox.
+ From this version the viewer is called from a single button. From inside the viewer the user can switch from File to Registry view and viceversa.
+ FileDiff.TXT is now more detailed. From version 1.01 it will show removed files (marked with a "-") and new files (marked with a "+" sign)
Probably I miss something but that´s more or less what I changed from version 1.0 to 1.01.
Just let me know if anyone finds a bug or have any suggestion or feature request.
In my TODO list I got:
+ Apart of showing deleted/new files I want to include a feature to compare file contents so modified files can be reported too: useful to catch virus file modifications.
+ I want to add a feature to exclude from differences user defined files and probably registry values too.
People interested can get it from: http://www.megaupload.com/?d=2WB3E6BP
List of modifications and new features:
+ I changed the GUI a bit, mainly messages.
+ Version 1.01 does not save information to registry. Now it´s saved to an .INI file per request of Ruhe.
+ The button to launch a folder navigator works now.
+ Viewer panels are now read only. This mean you can not edit contents.
+ I added an option to keep "before" and "after" temporal files. They are used to generate FileDiff.TXT and RegDiff.TXT and they are in text format too. As they may be useful for someone I give the option to easily keep them.
Just one note: The feature is to avoid deleting those files (RegHive1/RegHive2 and FileList1/FileList2) on exit.
If someone does several processes the files should be kept manually. (just copy them apart)
+ I have added an option to simulate a totally empty Sandbox. (No registry values and only RegHive and RegHive.LOG files)
So now SandDiff can compare differences between a sandbox in 2 different moments or the changes produced to a totally empty sandbox.
+ From this version the viewer is called from a single button. From inside the viewer the user can switch from File to Registry view and viceversa.
+ FileDiff.TXT is now more detailed. From version 1.01 it will show removed files (marked with a "-") and new files (marked with a "+" sign)
Probably I miss something but that´s more or less what I changed from version 1.0 to 1.01.
Just let me know if anyone finds a bug or have any suggestion or feature request.
In my TODO list I got:
+ Apart of showing deleted/new files I want to include a feature to compare file contents so modified files can be reported too: useful to catch virus file modifications.
+ I want to add a feature to exclude from differences user defined files and probably registry values too.
Last edited by Buster on Tue Sep 22, 2009 3:54 pm, edited 1 time in total.
Ruhe has been so kind to host SandDiff.
Here you have the address to main page: http://sanddiff.qnea.de
Here you have a link to last version: http://sanddiff.qnea.de/sanddiff.rar
Here you have the address to main page: http://sanddiff.qnea.de
Here you have a link to last version: http://sanddiff.qnea.de/sanddiff.rar
I thought that I would like that SandDiff becomes something more than just a program showing differences between 2 sandboxes.
My idea is to make a program that after comparing differences can evaluate if the sandboxed application(s) may have performed malicious actions.
Before coding that part I want to finish the part getting differences.
I´m interested in active testers. Anyone?
My idea is to make a program that after comparing differences can evaluate if the sandboxed application(s) may have performed malicious actions.
Before coding that part I want to finish the part getting differences.
I´m interested in active testers. Anyone?
tzuk:
At common feature requests page (http://www.sandboxie.com/index.php?Comm ... reRequests) you comment:
I hope you can help me with the feature request I just did. It would help me a lot!
At common feature requests page (http://www.sandboxie.com/index.php?Comm ... reRequests) you comment:
I pretend SandDiff covers that feature request.Log program actions, file access and registry writes, and/or do behavior analysis on programs
Not likely: There are tools which excel at these tasks, but Sandboxie is not designed for that. Use the mix and match approach: Use an activity trace tool to analyze the behavior of a program running under the supervision of Sandboxie.
I hope you can help me with the feature request I just did. It would help me a lot!
Who is online
Users browsing this forum: No registered users and 1 guest
