Page 2 of 4
Posted: Thu Sep 24, 2009 1:15 pm
by Buster
Hi.
I just uploaded SandDiff 1.02. The URL is:
http://sanddiff.qnea.de/sanddiff.rar
The changes I introduced are:
+ SandDiff performs a file modification checking so modificated files will be reported in FileDiff.TXT.
I didn´t explain it but in the reports (FileDiff, RegDiff, ...) there are 3 symbols initiating each line
"+" means that a file or registry entry was added.
"~" means that a file or registry entry was modified.
"-" means that a file or registry entry was removed.
+ I introduced a new button with the label "Meanwhile".
At the moment this button is used to capture a log of connections so SandDiff can compare opened ports.
+ I added a feature to easily recover already used sandbox folders.
+ The switch button of the viewer will change from File -> Registry -> Ports (if available) and then back to File again.
+ RegHive and RegHive.LOG are automatically discarded from file difference comparisions.
As usual I may miss something. Just try the new version and drop your comments.
Actually the TODO list contains:
+ Feature to exclude from differences user defined files, registry and maybe port values too.
+ Include a module that analyzes all the information obtained from comparisions and presents a malware
behaviour evaluation.
Posted: Fri Sep 25, 2009 5:33 pm
by Buster
I have uploaded SandDiff 1.03.
Changes:
+ Certain files will be stored under a folder named "Config".
+ I added the exclusion list feature.
The user can define what strings must be discarded from difference files. String search is case-insensitive.
With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.
Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.
My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".
Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.
I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.
Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.
Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.
Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.
People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.
There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.
It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.
Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.
Meanwhile test as much as possible the current version and send your feedback!
Posted: Mon Oct 12, 2009 3:48 pm
by wraithdu
I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.
Sandiff 1.03
Win7 Pro RTM 32-bit
Posted: Mon Oct 12, 2009 6:23 pm
by Buster
wraithdu wrote:I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.
Sandiff 1.03
Win7 Pro RTM 32-bit
Could you check with File Monitor what file is giving the error, please?
Posted: Mon Oct 12, 2009 10:43 pm
by wraithdu
Looks like I get an ACCESS DENIED error for 'C:\Windows\System32\NETSTAT.EXE' ... probably because it doesn't exist there on Win7. I have that file here:
C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7600.16385_none_329d49cdb031b824\NETSTAT.EXE
Code: Select all
370 9:38:47.4284740 PM sanddiff.exe 908 CreateFile C:\Windows\System32 SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
371 9:38:47.4285282 PM sanddiff.exe 908 QueryDirectory C:\Windows\System32\netstat.exe SUCCESS Filter: netstat.exe, 1: NETSTAT.EXE
372 9:38:47.4285768 PM sanddiff.exe 908 CloseFile C:\Windows\System32 SUCCESS
373 9:38:47.4294792 PM sanddiff.exe 908 QueryOpen C:\Windows\System32\NETSTAT.EXE FAST IO DISALLOWED
374 9:38:47.4295919 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE SUCCESS Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
375 9:38:47.4297151 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
376 9:38:47.4298660 PM sanddiff.exe 908 QueryFileInternalInformationFile C:\Windows\System32\NETSTAT.EXE SUCCESS IndexNumber: 0x1000000004894
377 9:38:47.4298887 PM sanddiff.exe 908 CloseFile C:\Windows\System32\NETSTAT.EXE SUCCESS
378 9:38:47.4300612 PM sanddiff.exe 908 QueryBasicInformationFile C:\Windows\System32\NETSTAT.EXE SUCCESS CreationTime: 7/13/2009 6:55:12 PM, LastAccessTime: 7/13/2009 6:55:12 PM, LastWriteTime: 7/13/2009 8:14:27 PM, ChangeTime: 7/28/2009 3:33:19 PM, FileAttributes: A
379 9:38:47.4300766 PM sanddiff.exe 908 CloseFile C:\Windows\System32\NETSTAT.EXE SUCCESS
380 9:38:47.4302429 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE ACCESS DENIED Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a
381 9:38:47.4303495 PM sanddiff.exe 908 CreateFile C:\Windows\System32\NETSTAT.EXE SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
382 9:38:47.4304819 PM sanddiff.exe 908 QueryFileInternalInformationFile C:\Windows\System32\NETSTAT.EXE SUCCESS IndexNumber: 0x1000000004894
383 9:38:47.4305022 PM sanddiff.exe 908 CloseFile C:\Windows\System32\NETSTAT.EXE SUCCESS
Posted: Tue Oct 13, 2009 2:25 am
by Buster
Thanks for the report. I will change it.
Edit: I just checked my Windows 7 and NETSTAT.EXE is in Windows\System32 folder.
The problem is that for a reason I don´t know, I can not call it directly from my program.
The workaround I did was to copy NETSTAT.EXE to SandDiff´s folder and execute it from there.
Posted: Tue Oct 13, 2009 12:27 pm
by wraithdu
Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...
How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?
Posted: Tue Oct 13, 2009 12:33 pm
by Buster
wraithdu wrote:Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...
How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?
Don´t you have NETSTAT.EXE in your Windows\System32 folder?
I have it there and in the path you mentioned.
ShellExecute but the problem is that the file seems to be in use.
Posted: Tue Oct 13, 2009 1:50 pm
by wraithdu
Hmm, weird. My file manager shows netstat in both System32 and that winsxs directory. However my search program Everything (
www.voidtools.com) only shows the copy in the winsxs folder.
Posted: Tue Oct 13, 2009 2:00 pm
by Buster
I installed Windows 7 just a few days ago and I didn´t have time yet to take a close look at it but it´s obvious that there are different things compared to XP. (I never wanted to try Vista)
When I try to open NETSTAT.EXE (both from systems32 and winsxs folders) I get in return a "file in use" but I can copy the file to other folder.
Meanwhile I don´t understand why it happens the workaround should work anyway.
Posted: Tue Oct 13, 2009 6:14 pm
by Buster
wraithdu, I have uploaded a new version:
http://sanddiff.qnea.de/sanddiff.rar
Let me know if the bug is gone, please.
Posted: Tue Oct 13, 2009 6:25 pm
by wraithdu
Sweet, works well.
What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?
Posted: Tue Oct 13, 2009 6:48 pm
by nick s
wraithdu wrote:However my search program Everything (
www.voidtools.com) only shows the copy in the winsxs folder.
Using the latest Everything alpha build (1.2.1.432) here on Vista, it appears that Everything is ignoring the contents of \System32.
First edit: I reverted back to build 1.2.1.371 and get the same result.
Final edit: It turns out that C:\Windows\System32\netstat.exe is a
hardlink...
Everything's developer wrote:Only the first hardlink of a file will be indexed and monitored.
Files that are not the first hardlink will not be indexed or monitored.
This is a limitation of the USN Change Journal.
I have plans to index all hard links in the future.
However, you will have to update the indexes manually as the USN Change Journal does not support hardlinks.
Posted: Tue Oct 13, 2009 7:05 pm
by Buster
wraithdu wrote:Sweet, works well.
What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?
netstat -ano
ShellExecute, right.
It´s something like this (Delphi code)
Code: Select all
FillChar(SEInfo, SizeOf(SEInfo), 0) ;
SEInfo.cbSize := SizeOf(TShellExecuteInfo) ;
with SEInfo do
begin
fMask := SEE_MASK_NOCLOSEPROCESS;
Wnd := Application.Handle;
lpFile := PChar(ExecuteFile) ;
lpParameters := PChar(Parameters);
nShow := SW_NORMAL;
end;
if ShellExecuteEx(@SEInfo) then
begin
repeat
Application.ProcessMessages;
GetExitCodeProcess(SEInfo.hProcess, ExitCode) ;
until (ExitCode <> STILL_ACTIVE) or Application.Terminated;
end;
Posted: Tue Oct 13, 2009 11:19 pm
by wraithdu
Is it a security rights issue maybe? Is your app running in a lowered rights mode of sorts so that it can't run apps in system directories?