Buster Sandbox Analyzer

Utilities designed for use with Sandboxie
Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Nov 02, 2009 4:27 pm

Thanks, tzuk!

When you implement the message log file feature BSA will be more accurate.

BSA is, apart of nice, very cheap. Probably many people don´t know that the most similar tool to BSA is Norman Sandbox Analyzer and it costs around 12.000 euros for one year license.

Of course Norman´s product is more advanced as it has been developed for some years by anti-malware professionals. Anyway I think that with a bit of work we can make of BSA a tool worth to have.

Ruhe
Posts: 803
Joined: Thu Jul 03, 2008 8:56 am
Location: Germany
Contact:

Post by Ruhe » Tue Nov 03, 2009 7:09 am

Hi Buster,

even if the current version only consists of two files - a documentation in .txt or .pdf could be added too - do you think
it could be useful to offer an executable setup? I know from experience that some (unexperienced) users prefer a setup.
Last edited by Ruhe on Tue Nov 03, 2009 7:42 am, edited 1 time in total.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Nov 03, 2009 7:20 am

I guess I should write a manual.

I dislike executable setups. If prefer "portable" tools.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Wed Nov 04, 2009 4:48 pm

Buster Sandbox Analyzer is working fine.

In next thread you can see results of the first "field test" I did with it:

http://sandboxie.com/phpbb/viewtopic.php?t=6591

Mark_
Posts: 111
Joined: Wed Dec 31, 2008 3:48 pm

Post by Mark_ » Wed Nov 04, 2009 9:24 pm

you might wanna take a look at sqlite for storing signatures, and maybe make some simple server/client protocol where u can submit locally created rules to a central server

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Nov 05, 2009 2:30 am

Mark_ wrote:you might wanna take a look at sqlite for storing signatures, and maybe make some simple server/client protocol where u can submit locally created rules to a central server
It´s not in my plans to create an anti-malware product.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sat Nov 14, 2009 11:17 am

Meanwhile I wait for the inclusion of the feature I requested I have continued improving the tool.

I have included an API logger in the package that can help to obtain additional valuable information from the analyzed programs.

Here you can see a report generated from a variant of Bagle worm:

[ Changes to filesystem ]
* Creates file D:\WINDOWS\AVBgle.exe
* Creates file D:\WINDOWS\base64.tmp

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
* Creates value "MSInfo=D:\WINDOWS\AVBgle.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Modifies value "AppData=D:\Documents and Settings\Test\Datos de programa" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
old value "AppData=D:\DOCUME~1\Test\Datos de programa"
* Modifies value "SavedLegacySettings=3C0000004E000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=3C0000004D000000010000000000000000000000000000000400000000000000A04E57F7782DCA0101000000C0A800040000000000000000"

[ Network services ]
* Looks for an Internet connection.
* Connects to "212.27.42.58 (free.fr)" on port 25 (TCP).
* Connects to "74.125.79.114 (1e100.net)" on port 25 (TCP).
* Connects to "64.12.138.57 (aol.com)" on port 25 (TCP).
* Connects to "72.167.238.201 (secureserver.net)" on port 25 (TCP).

[ Process/window information ]
* Creates a mutex Bgl_*L*o*o*s*e*.
* Creates a mutex _!MSFTHISTORY!_.
* Creates a mutex d:!documents and settings!test!configuración local!archivos temporales de internet!content.ie5!.
* Creates a mutex d:!documents and settings!test!cookies!.
* Creates a mutex d:!documents and settings!test!configuración local!historial!history.ie5!.
* Creates a mutex (null).
* Creates a mutex RasPbFile.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Nov 22, 2009 2:23 pm

I found an elegant solution to avoid having the API logger as an external module. In current beta version the API logger is included inside Buster Sandbox Analyzer. The solution was to use Sandboxie to inject the API logger DLL in sandboxed processes.

The manual is almost finished.

UPieper
Posts: 61
Joined: Sun Dec 16, 2007 7:07 am

Post by UPieper » Sun Nov 22, 2009 4:56 pm

That looks very interesting...If you need any beta testers, I'm ready :-)

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Nov 22, 2009 6:09 pm

UPieper wrote:That looks very interesting...If you need any beta testers, I'm ready :-)
You are welcome as tester, of course! All the help will be really appreciated.

You have available a beta version. Did you try it already?

Just let me know any bugs, suggestions, requests, ... you have.

tzuk has been so kind to add the feature I requested so I expect to release 1.0 version really soon... a couple of days, maybe less.

btw... you joined in 2007 and you only published 9 messages. Amazing! :)
Last edited by Buster on Mon Nov 23, 2009 2:09 am, edited 1 time in total.

UPieper
Posts: 61
Joined: Sun Dec 16, 2007 7:07 am

Post by UPieper » Mon Nov 23, 2009 1:13 am

Hi Buster, Great....but I can't find a download link in this thread? :wink:

Greetings,

UP

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Nov 23, 2009 2:04 am

URL has been posted in this thread.

UPieper
Posts: 61
Joined: Sun Dec 16, 2007 7:07 am

Post by UPieper » Mon Nov 23, 2009 2:07 am

God...I must be blind! :shock:

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Nov 23, 2009 2:08 am

No problem! Blind testers are welcome too! :P

UPieper
Posts: 61
Joined: Sun Dec 16, 2007 7:07 am

Post by UPieper » Mon Nov 23, 2009 11:49 am

Hi Buster,

a very useful tool indeed. A small suggestion I have is to add two buttons in the GUI "Open FileDiff" and "Open RegDiff"...

Greetings,

Locked

Who is online

Users browsing this forum: No registered users and 1 guest