Page 6 of 8

SandboxDiff - Registry/Files changes

Posted: Sat Oct 03, 2009 3:45 pm
by tzuk
Oopsie.

There was a spam/silly post as the first/only post of the last page of the old "SandboxDiff - Registry/Files changes" topic, and I accidentally deleted the entire topic instead of just the one post.

Edit: The original topic is now restored.

SandboxDiff 1.7 - Updated

Posted: Thu Oct 29, 2009 3:48 pm
by majoMo
SandboxDiff 1.7 updated.

Changes:

- Listed modified files - used CRC32'checksum algorithm, simple file verification (SFV). Thanks to Todd Sandboxie'user for the suggestion.
- SandboxDiff.exe doesn't need to stay in sandbox folder anymore.


The changes made by the application sandboxed are in the files:

- Registry changes:

Comp-Reg.txt - lists registry changes (values only) in text format.
Comp-Reg.REG.txt - lists registry changes (keys and values) in .reg format (Windows Registry Editor Version 5.00).
Comp-Reg.html - lists all registry entries (values) sandboxed in text/html format (and the registry values changes).

- Files changes:

Comp-Files.txt - lists added/removed files and folders.
Comp-FilesCRC.txt - lists added/removed files - and modified files (used CRC32'checksum algorithm, simple file verification (SFV)).
Comp-Files.html - lists all files and folders in sandbox folder - and added/removed files and folders.




Download in: Contributed Utilities page.

Posted: Sun Dec 13, 2009 9:28 am
by Buster
Majomo: SandboxDiff and Buster SandBox Analyzer work in a similar way in some aspects: looking for file and registry differences.

Since I released Buster Sandbox Analyzer I knew the registry part was not fully accurate. I thought it was pretty accurate most of the time but after spending some time debugging code and making intensive tests I understood I was wrong.

I know many people use SandboxDiff and I don´t pretend to create a polemic reaction, I just pretend to inform: SandboxDiff has the same problems Buster Sandbox Analyzer had and this makes it doesn´t show accurate results. An example will better illustrate the problem.

I have mIRC installed and registry settings are under HKEY_CURRENT_USER\Software\mIRC

After removing a value key from there in Comp-Reg.html does not appear any reference to it.

If you need help to reproduce the test let me know.

Posted: Sun Dec 13, 2009 7:35 pm
by majoMo
Buster wrote:After removing a value key from there in Comp-Reg.html does not appear any reference to it.
You are right. When a value key is emptied does not appear any reference to it in "Comp-Reg.html" and "Comp-Reg.txt".

SandboxDiff uses 'regdump.exe' by Ladislav Nevery (that did an excellent tool); it has some bugs - e.g. crashes when loading some hive files also.

SandboxDiff allows users to have an accurate result; any 'regdump.exe' bug is surpassed: "Comp-Reg.REG.txt" records all registry changes in .reg format (Windows Registry Editor Version 5.00).

DOWNLOAD LINK IN FIRST POST

Not for x64

Posted: Wed Mar 10, 2010 6:08 am
by noise
It appears the program will not run under an x64 operating system :(

---------------------------
Unsupported 16-Bit Application
---------------------------
The program or feature "\??\C:\Users\noise\AppData\Local\REPLACE.EXE" cannot start or run due to incompatibity with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.


---------------------------
OK
---------------------------

Posted: Wed Mar 10, 2010 9:50 am
by majoMo
@ noise,

Thanks for your information. :wink:

Once I can't test it in a x64 OS, can you download and try the newer version?

Thanks.

Download Link In: FIRST POST

Posted: Thu Mar 11, 2010 2:52 am
by noise
I can confirm that the new version is working correctly with Windows 7 x64 Professional.

Thanks :)

Posted: Thu Mar 11, 2010 5:21 am
by noise
Hi again.

I always seem to get the following error message:

---------------------------
RegDiff
---------------------------
File open error:[hive_1.reg.txt]
---------------------------
OK
---------------------------

I run SandboxDiff from outside the Sandbox folder.
Before I run SandboxDiff I make sure there is a RegHive file in C:\Sandbox\noise\DefaultBox.
I ran the UserPath.bat which successfully copied.

When I close the error box I have the following files:

Comp-Files.html
Comp-Files.txt
Comp-FilesCRC.txt
Comp-Reg.html
Comp-Reg.txt

Thanks
noise

Posted: Thu Mar 11, 2010 9:00 am
by majoMo
@ noise, thanks for your feedback. :wink:

It seems you are running in a limited user account. Please check if you are in a Administrator account when running SandboxDiff (or you can run it with "Run as Administrator" successfully perhaps).

Posted: Thu Mar 11, 2010 9:31 am
by noise
I did not even think of running SandboxDiff as an admin. doh! I even read on here that you suggested another user run it with admin rights, it should have clicked!

I can confirm that it works correctly when you run it as an admin.

Here is a snippet of the .REG file:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_USERS\hive\machine\System\CurrentControlSet\Control]

[HKEY_USERS\hive\machine\System\CurrentControlSet\Control\NetworkProvider]

[HKEY_USERS\hive\machine\System\CurrentControlSet\Control\NetworkProvider\HwOrder]

[HKEY_USERS\hive\machine\software\Wow6432Node]

[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft]

[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows]

[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion]

[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall]
Thanks
noise

SandboxDiff v. 2.0 - Updated

Posted: Thu May 13, 2010 10:17 am
by majoMo
SandboxDiff updated to version 2.0..

Fixed an issue when running the analysis process. Some minor changes.

Download in first post.

Posted: Tue May 25, 2010 2:45 pm
by Lardu
Hi.
Just to let you know if the username of Windows user has NORDIC letters in it, (äöå)
(the path in sandbox dir then too..)
Your app won't start and gives the error box about it being not able to load the reghive file..

Posted: Wed Jun 02, 2010 4:18 pm
by majoMo
Hi Lardu,

Thanks for reporting, that will let us to handle this path'character issue.

It will be fixed in the next 'SandboxDiff' update version.

Thanks again!

EDIT: Done.

Malware?

Posted: Sun Aug 15, 2010 10:34 am
by Petal
http://www.virustotal.com/file-scan/rep ... 1281881946

Jiangmin 13.0.900 2010.08.15 Trojan/Vilsel.lhi
Kaspersky 7.0.0.125 2010.08.15 -
McAfee 5.400.0.1158 2010.08.15 Suspect-D!13C28009A57C

A trojan "is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems".

Is this really safe? :?: :idea:

Re: Malware?

Posted: Sun Aug 15, 2010 10:53 am
by Mark_
Petal wrote:http://www.virustotal.com/file-scan/rep ... 1281881946

Jiangmin 13.0.900 2010.08.15 Trojan/Vilsel.lhi
Kaspersky 7.0.0.125 2010.08.15 -
McAfee 5.400.0.1158 2010.08.15 Suspect-D!13C28009A57C

A trojan "is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems".

Is this really safe? :?: :idea:
never scan an archive,
scan binary files each on his own.