SandDiff

Utilities designed for use with Sandboxie
Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Thu Sep 24, 2009 1:15 pm

Hi.

I just uploaded SandDiff 1.02. The URL is: http://sanddiff.qnea.de/sanddiff.rar

The changes I introduced are:

+ SandDiff performs a file modification checking so modificated files will be reported in FileDiff.TXT.

I didn´t explain it but in the reports (FileDiff, RegDiff, ...) there are 3 symbols initiating each line

"+" means that a file or registry entry was added.

"~" means that a file or registry entry was modified.

"-" means that a file or registry entry was removed.


+ I introduced a new button with the label "Meanwhile".

At the moment this button is used to capture a log of connections so SandDiff can compare opened ports.


+ I added a feature to easily recover already used sandbox folders.


+ The switch button of the viewer will change from File -> Registry -> Ports (if available) and then back to File again.


+ RegHive and RegHive.LOG are automatically discarded from file difference comparisions.


As usual I may miss something. Just try the new version and drop your comments.

Actually the TODO list contains:

+ Feature to exclude from differences user defined files, registry and maybe port values too.

+ Include a module that analyzes all the information obtained from comparisions and presents a malware
behaviour evaluation.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Fri Sep 25, 2009 5:33 pm

I have uploaded SandDiff 1.03.

Changes:

+ Certain files will be stored under a folder named "Config".

+ I added the exclusion list feature.

The user can define what strings must be discarded from difference files. String search is case-insensitive.


With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.

Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.

My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".

Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.

I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.

Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.

Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.

Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.

People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.

There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.

It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.

Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.

Meanwhile test as much as possible the current version and send your feedback!

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Oct 12, 2009 3:48 pm

I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.

Sandiff 1.03
Win7 Pro RTM 32-bit

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Oct 12, 2009 6:23 pm

wraithdu wrote:I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.

Sandiff 1.03
Win7 Pro RTM 32-bit
Could you check with File Monitor what file is giving the error, please?

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Mon Oct 12, 2009 10:43 pm

Looks like I get an ACCESS DENIED error for 'C:\Windows\System32\NETSTAT.EXE' ... probably because it doesn't exist there on Win7. I have that file here:

C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7600.16385_none_329d49cdb031b824\NETSTAT.EXE

Code: Select all

370	9:38:47.4284740 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32	SUCCESS	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
371	9:38:47.4285282 PM	sanddiff.exe	908	QueryDirectory	C:\Windows\System32\netstat.exe	SUCCESS	Filter: netstat.exe, 1: NETSTAT.EXE
372	9:38:47.4285768 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32	SUCCESS	
373	9:38:47.4294792 PM	sanddiff.exe	908	QueryOpen	C:\Windows\System32\NETSTAT.EXE	FAST IO DISALLOWED	
374	9:38:47.4295919 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
375	9:38:47.4297151 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
376	9:38:47.4298660 PM	sanddiff.exe	908	QueryFileInternalInformationFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	IndexNumber: 0x1000000004894
377	9:38:47.4298887 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	
378	9:38:47.4300612 PM	sanddiff.exe	908	QueryBasicInformationFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	CreationTime: 7/13/2009 6:55:12 PM, LastAccessTime: 7/13/2009 6:55:12 PM, LastWriteTime: 7/13/2009 8:14:27 PM, ChangeTime: 7/28/2009 3:33:19 PM, FileAttributes: A
379	9:38:47.4300766 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	
380	9:38:47.4302429 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	ACCESS DENIED	Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a
381	9:38:47.4303495 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
382	9:38:47.4304819 PM	sanddiff.exe	908	QueryFileInternalInformationFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	IndexNumber: 0x1000000004894
383	9:38:47.4305022 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Oct 13, 2009 2:25 am

Thanks for the report. I will change it.

Edit: I just checked my Windows 7 and NETSTAT.EXE is in Windows\System32 folder.

The problem is that for a reason I don´t know, I can not call it directly from my program.

The workaround I did was to copy NETSTAT.EXE to SandDiff´s folder and execute it from there.

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Tue Oct 13, 2009 12:27 pm

Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...

How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Oct 13, 2009 12:33 pm

wraithdu wrote:Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...

How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?
Don´t you have NETSTAT.EXE in your Windows\System32 folder?

I have it there and in the path you mentioned.

ShellExecute but the problem is that the file seems to be in use. :shock:

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Tue Oct 13, 2009 1:50 pm

Hmm, weird. My file manager shows netstat in both System32 and that winsxs directory. However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Oct 13, 2009 2:00 pm

I installed Windows 7 just a few days ago and I didn´t have time yet to take a close look at it but it´s obvious that there are different things compared to XP. (I never wanted to try Vista)

When I try to open NETSTAT.EXE (both from systems32 and winsxs folders) I get in return a "file in use" but I can copy the file to other folder.

Meanwhile I don´t understand why it happens the workaround should work anyway.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Oct 13, 2009 6:14 pm

wraithdu, I have uploaded a new version:

http://sanddiff.qnea.de/sanddiff.rar

Let me know if the bug is gone, please.

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Tue Oct 13, 2009 6:25 pm

Sweet, works well.

What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?

nick s
Posts: 382
Joined: Sat Dec 20, 2008 12:52 am

Post by nick s » Tue Oct 13, 2009 6:48 pm

wraithdu wrote:However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.
Using the latest Everything alpha build (1.2.1.432) here on Vista, it appears that Everything is ignoring the contents of \System32.

First edit: I reverted back to build 1.2.1.371 and get the same result.

Final edit: It turns out that C:\Windows\System32\netstat.exe is a hardlink...
Everything's developer wrote:Only the first hardlink of a file will be indexed and monitored.
Files that are not the first hardlink will not be indexed or monitored.

This is a limitation of the USN Change Journal.

I have plans to index all hard links in the future.
However, you will have to update the indexes manually as the USN Change Journal does not support hardlinks.
Last edited by nick s on Tue Oct 13, 2009 11:18 pm, edited 3 times in total.
Nick

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Tue Oct 13, 2009 7:05 pm

wraithdu wrote:Sweet, works well.

What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?
netstat -ano

ShellExecute, right.

It´s something like this (Delphi code)

Code: Select all

     
     FillChar(SEInfo, SizeOf(SEInfo), 0) ;
     SEInfo.cbSize := SizeOf(TShellExecuteInfo) ;
     with SEInfo do
        begin
        fMask := SEE_MASK_NOCLOSEPROCESS;
        Wnd := Application.Handle;
        lpFile := PChar(ExecuteFile) ;
        lpParameters := PChar(Parameters);
        nShow := SW_NORMAL;
        end;
     if ShellExecuteEx(@SEInfo) then
        begin
        repeat
        Application.ProcessMessages;
        GetExitCodeProcess(SEInfo.hProcess, ExitCode) ;
        until (ExitCode <> STILL_ACTIVE) or Application.Terminated;
        end;

wraithdu
Posts: 1410
Joined: Fri Jun 29, 2007 2:54 pm

Post by wraithdu » Tue Oct 13, 2009 11:19 pm

Is it a security rights issue maybe? Is your app running in a lowered rights mode of sorts so that it can't run apps in system directories?

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest