Buster Sandbox Analyzer

[Buster]

a very useful tool indeed. A small suggestion I have is to add two buttons in the GUI "Open FileDiff" and "Open RegDiff"...

Ok, I will consider it.

[Buster]

I have released Buster Sandbox Analyzer 1.0.

You can download it from here:

http://bsa.qnea.de/bsa.rar

Several new things have been introduced with respect to last published beta release. Reading the manual is necessary in order to configure properly the tool.

If someone has any doubt I´ll be glad to give explanations.

[UPieper]

Hi Buster,

for info: Avira flags log_api.dll as backdoor. I also did a scan at Virustotal:

File LOG_API.DLL received on 2009.11.23 19:39:02 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/41 (17.08%)

Regards

UP

[Buster]

Hi Buster,

for info: Avira flags log_api.dll as backdoor. I also did a scan at Virustotal:

File LOG_API.DLL received on 2009.11.23 19:39:02 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/41 (17.08%)

Regards

UP

LOG_API.DLL hooks several APIs, that´s why some antivirus may detect it heuristically.

[Mark_]

i uploaded the dll trough the gui as suspected false positive,
it might be an idea to also upload it on the site somewhere, with an explanation of the purpose

[Buster]

i uploaded the dll trough the gui as suspected false positive,
it might be an idea to also upload it on the site somewhere, with an explanation of the purpose

Sorry but I´m not sure to understand what you mean. Could you explain again with other words?

[Mark_]

i uploaded the dll trough the gui as suspected false positive,
it might be an idea to also upload it on the site somewhere, with an explanation of the purpose

Sorry but I´m not sure to understand what you mean. Could you explain again with other words?

it might be usefull for speedy removing the false positive that triggers log_dll as virus,
if you mail the file to their customer support with an explanation about the file.


and some random comments about your dll:

you hooked for example _lopen in kernel32, but that inturn simply calls CreateFileA (which calls CreateFileW)
it looks like you built the dll in a debug build? (this is bad for performance)
you load psapi.dll but you never release it (FreeLibrary)
the dll name is hardcoded, it might be usefull for anti detection purposes to rename it, any functions depending on its name could fail due to it not being found with its default name.
you call WSAStartup once (you control this once trough a bool, use DLL_PROCESS_ATTACH instead?) yet you never call WSACleanup. (why call startup in the first place, not like you have to initialize connections?)

[Tester]

Problem to create file when pressing "Check Port" then click "Find Differences"buttons.

[Buster]

and some random comments about your dll:

you hooked for example _lopen in kernel32, but that inturn simply calls CreateFileA (which calls CreateFileW)
it looks like you built the dll in a debug build? (this is bad for performance)
you load psapi.dll but you never release it (FreeLibrary)
the dll name is hardcoded, it might be usefull for anti detection purposes to rename it, any functions depending on its name could fail due to it not being found with its default name.
you call WSAStartup once (you control this once trough a bool, use DLL_PROCESS_ATTACH instead?) yet you never call WSACleanup. (why call startup in the first place, not like you have to initialize connections?)

I didn´t code that DLL. It has been coded by David Zimmer when he was working for iDefense Labs (http://labs.idefense.com/). David released the DLL as part of the SysAnalyzer package:

http://labs.idefense.com/software/malcode.php

I don´t know how to code in C++. I have modified intuitively the source to adapt it to my needs.

Seems like you know C++ and know how to fix that problems you comment. If you don´t mind we can be in touch by mail and talk about fixing the problems. Is it ok? Please, mail me to the mail address that appears in the tool.

About the anti-detection... malware coders will detect Sandboxie. I think it will not change anything if the API logger DLL has a static name.

[Buster]

Tester: Thanks for the report!

I can reproduce the bug. It will be fixed in next release.

[Buster]

Released Buster Sandbox Analyzer 1.01.

Change list:

Added backdoor and keylogger detection capabilities

Added Event and Service creation detection capabilities

Added malware analyzer detection capabilities

Added the option of visualizing report files directly from the tool

Fixed a bug related to the creation of port differences

As usual current version can be downloaded from http://bsa.qnea.de/bsa.rar

[Buster]

Buster Sandbox Analyzer has a web. Ugly, I know, but a web.

You can visit it here:

http://bsa.qnea.de/

[ApoNie]

i'm interested to join to develope BSA, can give the full source code, maybe i can take about report's result and program interface

u can add me at yahoo messengger, s h a h r i r 1 9 9 9 at yahoo.com (remove space). We can discuss further there..

[Newuser]

Can i configure what registry entries as High risk action??

[Buster]

Can i configure what registry entries as High risk action??

I´m not sure to understand what you want.

Do you want to add your own custom registry entries or define what registry entries already defined in BSA.DAT must be considered as high risk?