Oopsie.
There was a spam/silly post as the first/only post of the last page of the old "SandboxDiff - Registry/Files changes" topic, and I accidentally deleted the entire topic instead of just the one post.
Edit: The original topic is now restored.
SandboxDiff - Registry/Files changes
SandboxDiff 1.7 - Updated
SandboxDiff 1.7 updated.
Changes:
- Listed modified files - used CRC32'checksum algorithm, simple file verification (SFV). Thanks to Todd Sandboxie'user for the suggestion.
- SandboxDiff.exe doesn't need to stay in sandbox folder anymore.
The changes made by the application sandboxed are in the files:
- Registry changes:
Comp-Reg.txt - lists registry changes (values only) in text format.
Comp-Reg.REG.txt - lists registry changes (keys and values) in .reg format (Windows Registry Editor Version 5.00).
Comp-Reg.html - lists all registry entries (values) sandboxed in text/html format (and the registry values changes).
- Files changes:
Comp-Files.txt - lists added/removed files and folders.
Comp-FilesCRC.txt - lists added/removed files - and modified files (used CRC32'checksum algorithm, simple file verification (SFV)).
Comp-Files.html - lists all files and folders in sandbox folder - and added/removed files and folders.
Download in: Contributed Utilities page.
Changes:
- Listed modified files - used CRC32'checksum algorithm, simple file verification (SFV). Thanks to Todd Sandboxie'user for the suggestion.
- SandboxDiff.exe doesn't need to stay in sandbox folder anymore.
The changes made by the application sandboxed are in the files:
- Registry changes:
Comp-Reg.txt - lists registry changes (values only) in text format.
Comp-Reg.REG.txt - lists registry changes (keys and values) in .reg format (Windows Registry Editor Version 5.00).
Comp-Reg.html - lists all registry entries (values) sandboxed in text/html format (and the registry values changes).
- Files changes:
Comp-Files.txt - lists added/removed files and folders.
Comp-FilesCRC.txt - lists added/removed files - and modified files (used CRC32'checksum algorithm, simple file verification (SFV)).
Comp-Files.html - lists all files and folders in sandbox folder - and added/removed files and folders.
Download in: Contributed Utilities page.
Majomo: SandboxDiff and Buster SandBox Analyzer work in a similar way in some aspects: looking for file and registry differences.
Since I released Buster Sandbox Analyzer I knew the registry part was not fully accurate. I thought it was pretty accurate most of the time but after spending some time debugging code and making intensive tests I understood I was wrong.
I know many people use SandboxDiff and I don´t pretend to create a polemic reaction, I just pretend to inform: SandboxDiff has the same problems Buster Sandbox Analyzer had and this makes it doesn´t show accurate results. An example will better illustrate the problem.
I have mIRC installed and registry settings are under HKEY_CURRENT_USER\Software\mIRC
After removing a value key from there in Comp-Reg.html does not appear any reference to it.
If you need help to reproduce the test let me know.
Since I released Buster Sandbox Analyzer I knew the registry part was not fully accurate. I thought it was pretty accurate most of the time but after spending some time debugging code and making intensive tests I understood I was wrong.
I know many people use SandboxDiff and I don´t pretend to create a polemic reaction, I just pretend to inform: SandboxDiff has the same problems Buster Sandbox Analyzer had and this makes it doesn´t show accurate results. An example will better illustrate the problem.
I have mIRC installed and registry settings are under HKEY_CURRENT_USER\Software\mIRC
After removing a value key from there in Comp-Reg.html does not appear any reference to it.
If you need help to reproduce the test let me know.
You are right. When a value key is emptied does not appear any reference to it in "Comp-Reg.html" and "Comp-Reg.txt".Buster wrote:After removing a value key from there in Comp-Reg.html does not appear any reference to it.
SandboxDiff uses 'regdump.exe' by Ladislav Nevery (that did an excellent tool); it has some bugs - e.g. crashes when loading some hive files also.
SandboxDiff allows users to have an accurate result; any 'regdump.exe' bug is surpassed: "Comp-Reg.REG.txt" records all registry changes in .reg format (Windows Registry Editor Version 5.00).
DOWNLOAD LINK IN FIRST POST
Not for x64
It appears the program will not run under an x64 operating system 
---------------------------
Unsupported 16-Bit Application
---------------------------
The program or feature "\??\C:\Users\noise\AppData\Local\REPLACE.EXE" cannot start or run due to incompatibity with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.
---------------------------
OK
---------------------------
---------------------------
Unsupported 16-Bit Application
---------------------------
The program or feature "\??\C:\Users\noise\AppData\Local\REPLACE.EXE" cannot start or run due to incompatibity with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.
---------------------------
OK
---------------------------
@ noise,
Thanks for your information.
Once I can't test it in a x64 OS, can you download and try the newer version?
Thanks.
Download Link In: FIRST POST
Thanks for your information.
Once I can't test it in a x64 OS, can you download and try the newer version?
Thanks.
Download Link In: FIRST POST
Hi again.
I always seem to get the following error message:
---------------------------
RegDiff
---------------------------
File open error:[hive_1.reg.txt]
---------------------------
OK
---------------------------
I run SandboxDiff from outside the Sandbox folder.
Before I run SandboxDiff I make sure there is a RegHive file in C:\Sandbox\noise\DefaultBox.
I ran the UserPath.bat which successfully copied.
When I close the error box I have the following files:
Comp-Files.html
Comp-Files.txt
Comp-FilesCRC.txt
Comp-Reg.html
Comp-Reg.txt
Thanks
noise
I always seem to get the following error message:
---------------------------
RegDiff
---------------------------
File open error:[hive_1.reg.txt]
---------------------------
OK
---------------------------
I run SandboxDiff from outside the Sandbox folder.
Before I run SandboxDiff I make sure there is a RegHive file in C:\Sandbox\noise\DefaultBox.
I ran the UserPath.bat which successfully copied.
When I close the error box I have the following files:
Comp-Files.html
Comp-Files.txt
Comp-FilesCRC.txt
Comp-Reg.html
Comp-Reg.txt
Thanks
noise
I did not even think of running SandboxDiff as an admin. doh! I even read on here that you suggested another user run it with admin rights, it should have clicked!
I can confirm that it works correctly when you run it as an admin.
Here is a snippet of the .REG file:
Thanks
noise
I can confirm that it works correctly when you run it as an admin.
Here is a snippet of the .REG file:
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_USERS\hive\machine\System\CurrentControlSet\Control]
[HKEY_USERS\hive\machine\System\CurrentControlSet\Control\NetworkProvider]
[HKEY_USERS\hive\machine\System\CurrentControlSet\Control\NetworkProvider\HwOrder]
[HKEY_USERS\hive\machine\software\Wow6432Node]
[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft]
[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows]
[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion]
[HKEY_USERS\hive\machine\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall]
noise
SandboxDiff v. 2.0 - Updated
SandboxDiff updated to version 2.0..
Fixed an issue when running the analysis process. Some minor changes.
Download in first post.
Fixed an issue when running the analysis process. Some minor changes.
Download in first post.
-
Petal
Malware?
http://www.virustotal.com/file-scan/rep ... 1281881946
Jiangmin 13.0.900 2010.08.15 Trojan/Vilsel.lhi
Kaspersky 7.0.0.125 2010.08.15 -
McAfee 5.400.0.1158 2010.08.15 Suspect-D!13C28009A57C
A trojan "is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems".
Is this really safe?
Jiangmin 13.0.900 2010.08.15 Trojan/Vilsel.lhi
Kaspersky 7.0.0.125 2010.08.15 -
McAfee 5.400.0.1158 2010.08.15 Suspect-D!13C28009A57C
A trojan "is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems".
Is this really safe?
Re: Malware?
never scan an archive,Petal wrote:http://www.virustotal.com/file-scan/rep ... 1281881946
Jiangmin 13.0.900 2010.08.15 Trojan/Vilsel.lhi
Kaspersky 7.0.0.125 2010.08.15 -
McAfee 5.400.0.1158 2010.08.15 Suspect-D!13C28009A57C
A trojan "is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems".
Is this really safe?
scan binary files each on his own.
Who is online
Users browsing this forum: No registered users and 1 guest
