Page 2 of 4

Posted: Thu Sep 24, 2009 1:15 pm
by Buster
Hi.

I just uploaded SandDiff 1.02. The URL is: http://sanddiff.qnea.de/sanddiff.rar

The changes I introduced are:

+ SandDiff performs a file modification checking so modificated files will be reported in FileDiff.TXT.

I didn´t explain it but in the reports (FileDiff, RegDiff, ...) there are 3 symbols initiating each line

"+" means that a file or registry entry was added.

"~" means that a file or registry entry was modified.

"-" means that a file or registry entry was removed.


+ I introduced a new button with the label "Meanwhile".

At the moment this button is used to capture a log of connections so SandDiff can compare opened ports.


+ I added a feature to easily recover already used sandbox folders.


+ The switch button of the viewer will change from File -> Registry -> Ports (if available) and then back to File again.


+ RegHive and RegHive.LOG are automatically discarded from file difference comparisions.


As usual I may miss something. Just try the new version and drop your comments.

Actually the TODO list contains:

+ Feature to exclude from differences user defined files, registry and maybe port values too.

+ Include a module that analyzes all the information obtained from comparisions and presents a malware
behaviour evaluation.

Posted: Fri Sep 25, 2009 5:33 pm
by Buster
I have uploaded SandDiff 1.03.

Changes:

+ Certain files will be stored under a folder named "Config".

+ I added the exclusion list feature.

The user can define what strings must be discarded from difference files. String search is case-insensitive.


With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.

Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.

My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".

Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.

I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.

Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.

Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.

Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.

People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.

There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.

It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.

Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.

Meanwhile test as much as possible the current version and send your feedback!

Posted: Mon Oct 12, 2009 3:48 pm
by wraithdu
I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.

Sandiff 1.03
Win7 Pro RTM 32-bit

Posted: Mon Oct 12, 2009 6:23 pm
by Buster
wraithdu wrote:I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.

Sandiff 1.03
Win7 Pro RTM 32-bit
Could you check with File Monitor what file is giving the error, please?

Posted: Mon Oct 12, 2009 10:43 pm
by wraithdu
Looks like I get an ACCESS DENIED error for 'C:\Windows\System32\NETSTAT.EXE' ... probably because it doesn't exist there on Win7. I have that file here:

C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7600.16385_none_329d49cdb031b824\NETSTAT.EXE

Code: Select all

370	9:38:47.4284740 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32	SUCCESS	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
371	9:38:47.4285282 PM	sanddiff.exe	908	QueryDirectory	C:\Windows\System32\netstat.exe	SUCCESS	Filter: netstat.exe, 1: NETSTAT.EXE
372	9:38:47.4285768 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32	SUCCESS	
373	9:38:47.4294792 PM	sanddiff.exe	908	QueryOpen	C:\Windows\System32\NETSTAT.EXE	FAST IO DISALLOWED	
374	9:38:47.4295919 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
375	9:38:47.4297151 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
376	9:38:47.4298660 PM	sanddiff.exe	908	QueryFileInternalInformationFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	IndexNumber: 0x1000000004894
377	9:38:47.4298887 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	
378	9:38:47.4300612 PM	sanddiff.exe	908	QueryBasicInformationFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	CreationTime: 7/13/2009 6:55:12 PM, LastAccessTime: 7/13/2009 6:55:12 PM, LastWriteTime: 7/13/2009 8:14:27 PM, ChangeTime: 7/28/2009 3:33:19 PM, FileAttributes: A
379	9:38:47.4300766 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	
380	9:38:47.4302429 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	ACCESS DENIED	Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a
381	9:38:47.4303495 PM	sanddiff.exe	908	CreateFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
382	9:38:47.4304819 PM	sanddiff.exe	908	QueryFileInternalInformationFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS	IndexNumber: 0x1000000004894
383	9:38:47.4305022 PM	sanddiff.exe	908	CloseFile	C:\Windows\System32\NETSTAT.EXE	SUCCESS

Posted: Tue Oct 13, 2009 2:25 am
by Buster
Thanks for the report. I will change it.

Edit: I just checked my Windows 7 and NETSTAT.EXE is in Windows\System32 folder.

The problem is that for a reason I don´t know, I can not call it directly from my program.

The workaround I did was to copy NETSTAT.EXE to SandDiff´s folder and execute it from there.

Posted: Tue Oct 13, 2009 12:27 pm
by wraithdu
Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...

How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?

Posted: Tue Oct 13, 2009 12:33 pm
by Buster
wraithdu wrote:Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...

How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?
Don´t you have NETSTAT.EXE in your Windows\System32 folder?

I have it there and in the path you mentioned.

ShellExecute but the problem is that the file seems to be in use. :shock:

Posted: Tue Oct 13, 2009 1:50 pm
by wraithdu
Hmm, weird. My file manager shows netstat in both System32 and that winsxs directory. However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.

Posted: Tue Oct 13, 2009 2:00 pm
by Buster
I installed Windows 7 just a few days ago and I didn´t have time yet to take a close look at it but it´s obvious that there are different things compared to XP. (I never wanted to try Vista)

When I try to open NETSTAT.EXE (both from systems32 and winsxs folders) I get in return a "file in use" but I can copy the file to other folder.

Meanwhile I don´t understand why it happens the workaround should work anyway.

Posted: Tue Oct 13, 2009 6:14 pm
by Buster
wraithdu, I have uploaded a new version:

http://sanddiff.qnea.de/sanddiff.rar

Let me know if the bug is gone, please.

Posted: Tue Oct 13, 2009 6:25 pm
by wraithdu
Sweet, works well.

What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?

Posted: Tue Oct 13, 2009 6:48 pm
by nick s
wraithdu wrote:However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.
Using the latest Everything alpha build (1.2.1.432) here on Vista, it appears that Everything is ignoring the contents of \System32.

First edit: I reverted back to build 1.2.1.371 and get the same result.

Final edit: It turns out that C:\Windows\System32\netstat.exe is a hardlink...
Everything's developer wrote:Only the first hardlink of a file will be indexed and monitored.
Files that are not the first hardlink will not be indexed or monitored.

This is a limitation of the USN Change Journal.

I have plans to index all hard links in the future.
However, you will have to update the indexes manually as the USN Change Journal does not support hardlinks.

Posted: Tue Oct 13, 2009 7:05 pm
by Buster
wraithdu wrote:Sweet, works well.

What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?
netstat -ano

ShellExecute, right.

It´s something like this (Delphi code)

Code: Select all

     
     FillChar(SEInfo, SizeOf(SEInfo), 0) ;
     SEInfo.cbSize := SizeOf(TShellExecuteInfo) ;
     with SEInfo do
        begin
        fMask := SEE_MASK_NOCLOSEPROCESS;
        Wnd := Application.Handle;
        lpFile := PChar(ExecuteFile) ;
        lpParameters := PChar(Parameters);
        nShow := SW_NORMAL;
        end;
     if ShellExecuteEx(@SEInfo) then
        begin
        repeat
        Application.ProcessMessages;
        GetExitCodeProcess(SEInfo.hProcess, ExitCode) ;
        until (ExitCode <> STILL_ACTIVE) or Application.Terminated;
        end;

Posted: Tue Oct 13, 2009 11:19 pm
by wraithdu
Is it a security rights issue maybe? Is your app running in a lowered rights mode of sorts so that it can't run apps in system directories?