Buster Sandbox Analyzer

Utilities designed for use with Sandboxie
Locked
Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Buster Sandbox Analyzer

Post by Buster » Fri Oct 30, 2009 3:17 pm

I edit the first post to include information about where to download the tool.

Official site is:

http://bsa.isoftware.nl

And the tool can be downloaded from:

http://bsa.novirusthanks.org/downloads/bsa.rar
http://www.woodmann.com/virusbuster/bsa.rar

Actual version: 1.88

MD5: 32d92812f399da48e61ca810b09f11fc

Version: 1.88 Update 4 [Released 24/04/2014]

http://www.woodmann.com/virusbuster/bsa ... date_4.rar

--- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x ---

Hi.

As commented already I decided to change the name of my tool because the purpose of it changed.

The tool will now be named Buster Sandbox Analyzer or BSA to short it.

The main goal of the tool will be to analyze the behaviour of sandboxed processes and decide if the the changes made to system may be malware suspicious.

It can also be used just to check what changes (files and registry) were made in the system.



Instructions to run BSA:

Of course, in order to run BSA Sandboxie must be installed and running properly.

BSA does not require installation. Just create a folder and copy BSA.EXE and BSA.DAT inside.

When you run BSA you can see this:

Image

To start working with the tool you just need to specify with what Sandbox folder you will work. You must specify the complete path to the sandbox folder. e.g. for the DefaultBox would be something like:

C:\Sandbox\ExampleUser\DefaultBox

You only will have to specify the sandbox path one time. When you close BSA the program automatically will remember the used sandboxes. This information will be stored under \CONFIG folder with the name BSA.INI.

The sandbox folder must exist and must be empty. BSA will check that both conditions are accomplished and if any of them is not BSA will warn about it.

When you are ready to start working with the tool press "Start" button. If the sandbox folder exists and the folder is empty BSA will be ready for next step.

After pressing "Start" two buttons get enabled.

Now it´s the moment to sandbox whatever you want.

If you are interested in getting port differences press "Check Ports" button if not just skip it.

When you are done terminate all sandboxed processes and then click "Find Differences".

If Sandboxie is still in use BSA will warn about that.

At this point if you are only interested in getting the changes made to system you can quit BSA. You will find FileDiff.TXT, RegDiff.TXT and PortDiff.TXT (when available) at BSA´s folder.

You can open those files with any text editor because they are in plain text.

If you are interested in the malware analysis click the button.

BSA will perform several checks to the changes made to system looking for malware behaviour.

At the moment some of the checks are not available.

When you close malware analyser results of the analysis will be saved to ANALISIS.TXT.

On next message I will explain the exclusion list, the BSA.DAT format and the file differences format.
Last edited by Buster on Thu Apr 24, 2014 4:30 pm, edited 36 times in total.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Fri Oct 30, 2009 4:08 pm

Exclusion list:

The exclusion list is a set of strings that the user wants to be excluded from results. All lines containing a string that appears in the exclusion list will be removed from reports.

You can define exclusions for file, registry and ports. There is an exclusion list editor included in BSA but files can be directly edited with any text editor.

File exclusion strings are not sandbox path relative. This mean you must specify the path or file as it will appear in the real disk. e.g.:

C:\pagefile.sys would be ok

C:\SandBox\ExampleUser\DefaultBox\drive\C\pagefile.sys would not be ok.

Registry exclusion list uses relative strings. Sandboxie will "translate" HKEY_CURRENT_USER to user\current\ and HKEY_LOCAL_MACHINE to machine\.

To avoid mistakes you should take strings directly from RegDiff.TXT an include them in exclusion list.

Exclusion list is case insensitive.
Last edited by Buster on Sun Nov 01, 2009 7:26 pm, edited 7 times in total.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Fri Oct 30, 2009 4:22 pm

File differences format:

There are 3 difference files: FileDiff.TXT, RegDiff.TXT and PortDiff.TXT

In FileDiff.TXT there are 4 symbols as first char in every line.

"+" represents a new file: A file that is not present in real disk so it´s created.

"-" represents a deleted file: A file that being present in real disk and that was deleted.

"~" represents a modified file: A file that was changed.

"=" represents a copied file: Sandboxie copied a file inside the sandbox. This doesn´t represent any change.

Temporal files (files that are created and later deleted) can not be represented at the moment. Probably it would be necessary the use of an injected DLL to catch that kind of files.



In RegDiff.TXT you can find next information:

"created registry key": The registry key was created.

"deleted registry key": The registry key was deleted.

"empty value key": The value of a key was removed.

"deleted value key": The value of a key was deleted.

When the content of a value changes you get something like:

user\current\software\Microsoft\Windows\CurrentVersion\Applets\Regedit\FindFlags = 0E000000


Important: Some registry and value keys are modified by Sandboxie not by sandboxed processes. I suggest running CALC.EXE (or any other program that does not modify the registry) and add strings from resulting RegDiff.TXT to exclusion list.
Last edited by Buster on Sun Nov 01, 2009 7:29 pm, edited 3 times in total.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Fri Oct 30, 2009 4:38 pm

BSA.DAT format:

The malware analyzer module is a bit flexible and can be customized by the user.

[File_Types_Copied_Windows]: Here the user defines what file types (extensions) that get copied into Windows folder must raise an alert.

By default .exe, .dll and .sys are watched. Other interesting file types to watch could be .VBS e.g.

Why this? Many malwares copy their components in Windows folder.


[File_Types_Modified]: Here the user defines what file types that are modified must be watched.

By default .exe and .dll files are watched.

Why this? Modify an .exe is a typical action of viruses.


[File_Types_Copied_AutoStart]: Here we define what file types must be watched when copied to AutoStart locations.

AutoStart location is e.g. startup folder.

By default .exe and .dll files are watched.

Why this? It´s typical of malwares to get their components included in autostart locations so they run when Windows loads.


[AutoStart_Files_Added_or_Modified]: Here we define what autostart files must be watched when added to disk or modified.

By default the list of autostart files is:

win.ini
system.ini
wininit.ini
winstart.bat
dosstart.bat
autoexec.nt
config.nt
autoexec.bat
config.sys
autorun.inf

Why this? Other method of malwares to get running when Windows loads is adding theirself to one of those files.


[AutoStart_Registry_Created_or_Modified]: Here we define what registry autostart locations to watch.

The list is a bit large so I will not put it here. Just as example:

\software\microsoft\windows\currentversion\run

Why this? It´s very typical of malwares to add theirself into a registry autostart location so they get loaded when Windows boots.

If you want to include new file types to watch or registry autostart locations or whatever feel free to do it. You can also remove or edit actual values.

You just need to know that after a section "[blablabla]" you must include all the values and there can not be an empty space between them.

An empty line must be included between the last value and the next section.

Code: Select all

[File_Types_Copied_AutoStart]
.exe
.dll
.sys

[AutoStart_Files_Added_or_Modified]
That´s fine.

Code: Select all

[File_Types_Copied_AutoStart]
.exe
.dll
.sys
[AutoStart_Files_Added_or_Modified]

Code: Select all

[File_Types_Copied_AutoStart]
.exe

.dll
.sys

[AutoStart_Files_Added_or_Modified]

That´s wrong and malware analyzer module will not work properly.
Last edited by Buster on Sat Oct 31, 2009 2:52 am, edited 3 times in total.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Fri Oct 30, 2009 4:42 pm

I´m open to feature requests, suggestions and bug reports. Just post here and let me know.

When tzuk adds the feature I requested I will release BSA 1.0 final version. Meanwhile I plan to betatest actual version.

People like raid may help to improve malware detection rules.

Mark_
Posts: 111
Joined: Wed Dec 31, 2008 3:48 pm

Post by Mark_ » Fri Oct 30, 2009 8:13 pm

a download link would be nice, for starters ^^,

also, it might be usefull to have a config editor, and to remove the needed empty line.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sat Oct 31, 2009 2:53 am

I plan to release 1.0 beta this weekend.

I still must do some checkings under Windows 7.

Guest

Post by Guest » Sat Oct 31, 2009 5:59 am

Hi Buster,

Actually you would implement the features tzuk somehow considered unnecessary... I do think he's wrong, but might be me too.
With a tool like this one can actually see what's going on at his favorite sandbox)
The only question could be about host processes reading attempts and possible realtime-warning like.
--------------------- BSA WARNING ---------------------
Sandboxie <ANALYSIS>
Process <c:\windows\Explorer.exe>
Details (PID=3888, size=15368KB, ran by Admin)
is trying to write data at a restricted area\path <c:\>.
<A>llow <D>eny <T>erminate
Keep up

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sat Oct 31, 2009 2:53 pm

I´m afraid I can not do that from outside the sandbox or at least I don´t know how to code such thing.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Sun Nov 01, 2009 7:34 pm

Buster Sandbox Analyzer 1.0 beta has been released. You can get it from here:

http://bsa.qnea.de/bsa.rar

I edited the previous posts to reflect some changes I did since I wrote the information.

Ideas, suggestions, bug reports, ... are welcome!

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Nov 02, 2009 3:31 am

Additional notes:

BSA reflects the changes that would be made to system. Temporal changes are not showed. e.g. if a file is created inside the sandbox and later is deleted before processes are terminated. The same for registry entries.

If a registry value is changed and then changed again and finally the value is the same than the entry from real registry, the change will be reflected anyway.

I´m considering to don´t show that kind of entry. Should I show it even if finally it´s equal to the value from real registry or should I skip it? Any thoughts about this?

Even if the primary goal of BSA is to analyze if sandboxed processes behaviour like a malware, tzuk gave me an interesting idea: BSA could be used to "undo" the effects of malware.

And as mentioned already, BSA can be used just to see what changes to system were done.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Nov 02, 2009 10:09 am

BSA 1.0 beta 2 released. Download link remains the same.

Changes:

Added rules for empty/deleted value keys in registry.

Mark_
Posts: 111
Joined: Wed Dec 31, 2008 3:48 pm

Post by Mark_ » Mon Nov 02, 2009 10:32 am

you should list those items imo, maybe some kinda exploit is used to hide the modifications (example: embedded null in registry keys)

also, this item is listed while it is from sandboxie itself:

Defined registry entry added to AutoStart location: machine\software\microsoft\windows nt\currentversion\winlogon\Shell = x

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Post by Buster » Mon Nov 02, 2009 10:46 am

Mark_ wrote:also, this item is listed while it is from sandboxie itself:

Defined registry entry added to AutoStart location: machine\software\microsoft\windows nt\currentversion\winlogon\Shell = x
I wrote about that:

Important: Some registry and value keys are modified by Sandboxie not by sandboxed processes. I suggest running CALC.EXE (or any other program that does not modify the registry) and add strings from resulting RegDiff.TXT to exclusion list.

tzuk
Sandboxie Founder
Sandboxie Founder
Posts: 16076
Joined: Tue Jun 22, 2004 12:57 pm

Post by tzuk » Mon Nov 02, 2009 4:10 pm

Buster, I tried your tool, very nice. Now I understand what you plan to do with the message log file. :)
tzuk

Locked

Who is online

Users browsing this forum: No registered users and 1 guest