Buster Sandbox Analyzer

Newuser · Post by **Newuser** » Fri Dec 04, 2009 7:37 am

Yes,is better that can add our own custom registry entries or files to define as high risk.

Buster · Post by **Buster** » Fri Dec 04, 2009 7:48 am

Newuser wrote:Yes,is better that can add our own custom registry entries or files to define as high risk.

Own custom registry entries is good idea. I will add the feature.

I had an idea about this. The format for user defined registry entries will be:

[Custom_Registry_Entries]
registry key<->reason to add it

That way if the registry is used it will be reported in the analysis as:

Reason to add it: registry key

That looks good, doesn´t it?

People could "contribute" their own custom registry entries and the reason to add it, so other users could use them too.

About defined files, I don´t see any reason for that. Could you give any or an example, please?

Newuser · Post by **Newuser** » Fri Dec 04, 2009 9:04 am

[Custom_Registry_Entries]
registry key<->reason to add it

That way if the registry is used it will be reported in the analysis as:

Reason to add it: registry key

That's a good idea,looking forward to new features

neo · Post by **neo** » Fri Dec 04, 2009 11:44 am

Tzuk and Buster,

Thanks and congratulations on your geat work. Now, if I could make a few feature requests for BSA...It'd be nice to be able to have:

- a pcap of network traffic
- a MD5 of the files that are created next to the name/path
- batch processing. That would be absolutely wonderful

Thanks again.

Buster · Post by **Buster** » Fri Dec 04, 2009 12:15 pm

Thanks for your kind words, neo.

pcap: As you may know I started developing this project recently so I´m still adding the basic stuff to make it to work properly. Capture network traffic is something I had on mind to look in the future but that will have to wait until I add other features I consider more urgent.

MD5, SHA1 and SHA256 hashing is something that I will add on next version. I already had it on my to-do list.

What I implemented already and will be included also on next release is a check for new updates.

Batch processing: I may include this feature in the future, not sure. As BSA is designed there is no real beneffit of having batch processing. The user must start/stop Sandboxie manually, therefore the advantage of having batch processing is not the same than, e.g., has for Norman Sandbox Analyzer where user intervention is not required.

Buster · Post by **Buster** » Fri Dec 04, 2009 4:43 pm

Released Buster Sandbox Analyzer 1.02.

Change list:

Added MD5, SHA1 and SHA256 hashing when file to process is specified

Added custom registry entry checking

Added a feature to check for updates

Fixed a few bugs in Buster Sandbox Analyzer

Fixed a bug in LOG_API library

Buster · Post by **Buster** » Sat Dec 05, 2009 6:40 am

neo: In version 1.02 the MD5, SHA1 and SHA256 (finally I decided to include it because I saw it´s being used in other sites already) of the file you start processing is optionally included in the report. You just need to supply the filename to obtain such info in Report.TXT.

I will include an option in version 1.03 to also put in the report the hashes of the created files.

Newuser: Let me know if the "custom_registry_entries" feature satisficies your request.

Guest1 · Post by **Guest1** » Sat Dec 05, 2009 7:22 pm

Find it difficult to add the registry or maybe i was wrong.

For example i added in
[Custom_Registry_Entries]
machine\software\microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools<->Disable Registry Tools
user\current\software\Microsoft\Internet Explorer\Main\Start Page<->change start page

The malware analyzer module does not alert me this .

Buster · Post by **Buster** » Sat Dec 05, 2009 7:43 pm

Guest1 wrote:Find it difficult to add the registry or maybe i was wrong.

There is a bug or a lack of information, as you prefer.

The strings should be lowercased.

In version 1.03 I will make them case insenstive.

Buster · Post by **Buster** » Sun Dec 06, 2009 7:28 pm

Released Buster Sandbox Analyzer 1.03.

Change list:

Updated BSA.DAT with new registry AutoStart locations

Added a feature to save user settings

Added a feature to include in Report.TXT the hashes of created files

Improved Report.TXT information

Updated LOG_API library

Fixed a few bugs in Buster Sandbox Analyzer

Rona · Post by **Rona** » Mon Dec 07, 2009 8:09 pm

[Custom_Registry_Entries]
registry key<->reason to add it

Can i use wildcard to add it ??

Buster · Post by **Buster** » Mon Dec 07, 2009 8:35 pm

Rona wrote:
[Custom_Registry_Entries]
registry key<->reason to add it
Can i use wildcard to add it ??

No, wildcards are not supported.

What do you have in mind? Could you put an example, please?

Rona · Post by **Rona** » Mon Dec 07, 2009 8:53 pm

\Software\Microsoft\Internet explorer\Main\\*page
\Software\Microsoft\Windows\Currentversion\Internet settings\*zones
\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects*
\SOFTWARE\Microsoft\Windows*\CurrentVersion\Image File Execution Options*

If wildcards are not supported I'll gonna had large list.

Buster · Post by **Buster** » Mon Dec 07, 2009 9:15 pm

Rona wrote:\Software\Microsoft\Internet explorer\Main\\*page
\Software\Microsoft\Windows\Currentversion\Internet settings\*zones
\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects*
\SOFTWARE\Microsoft\Windows*\CurrentVersion\Image File Execution Options*

If wildcards are not supported I'll gonna had large list.

Let´s take this as example:

\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

There is only one "Browser Helper Objects*" registry key. That key has 3 entries:

{bf00e119-21a3-4fd1-b178-3b8537e75c92}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}

I guess it´s more or less the same in your computer.

Are you worried because you want to catch that 3 entries and you pretend to use

\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects*

to do it?

Or is something different?

nick s · Post by **nick s** » Mon Dec 07, 2009 11:05 pm

I'm working on converting Malware Defender's default registry rules for use in BSA. Wildcards would also be useful in dealing with something like multiple ControlSet* entries:

\SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath
\SYSTEM\ControlSet*\Control\Lsa; Authentication Packages
\SYSTEM\ControlSet*\Control\Lsa; Notification Packages
\SYSTEM\ControlSet*\Control\Lsa; Security Packages
\SYSTEM\ControlSet*\Control\NetworkProvider\Order; ProviderOrder
\SYSTEM\ControlSet*\Control\Print\Monitors\*
\SYSTEM\ControlSet*\Control\SecurityProviders; SecurityProviders
\SYSTEM\ControlSet*\Control\Session Manager; BootExecute
\SYSTEM\ControlSet*\Control\Session Manager; Execute
\SYSTEM\ControlSet*\Control\Session Manager; PendingFileRenameOperations
\SYSTEM\ControlSet*\Control\Session Manager; S0InitialCommand
\SYSTEM\ControlSet*\Control\Session Manager; SetupExecute
\SYSTEM\ControlSet*\Control\Session Manager\KnownDLLs\*
\SYSTEM\ControlSet*\Control\Terminal Server\Wds\rdpwd; StartupPrograms
\SYSTEM\ControlSet*\Services
\SYSTEM\ControlSet*\Services\*; ImagePath
\SYSTEM\ControlSet*\Services\*; ServiceDll
\SYSTEM\ControlSet*\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*
\SYSTEM\ControlSet*\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*

Note that the"; " preceding a value is still part of Malware Defender's syntax. Would the following be a correct conversion?

from...

\SYSTEM\ControlSet*\Control\BootVerificationProgram; ImagePath

to...

\SYSTEM\ControlSet*\Control\BootVerificationProgram\ImagePath<->ImagePath

Sandboxie Support

Buster Sandbox Analyzer

Feature request

Re: Feature request

Who is online