Page 62 of 64

Re: Buster Sandbox Analyzer

Posted: Sun May 04, 2014 7:06 pm
by Buster
Anyone up to collect executables containing misleading icons?

Re: Buster Sandbox Analyzer

Posted: Tue May 06, 2014 10:50 am
by SandyBox
Hi Buster,

glad to hear that you resumed your Analyzer project.

Now I gave Sandboxie with the collaboration of BSA another try.
The configuration with LOG_API32.DLL works fine. But the injection of LOG_API64.DLL doesn't work when starting Windows Explorer sandboxed. Windows Explorer seems to crash because WerFault.exe starts as a process in Sandboxie.
Also programs such as notepad.exe crash when I try to save a text-file to disk. In contrast cmd.exe seems to work with LOG_API64.DLL.

On my Windows 7 64-bit OS I have installed Sandboxie beta4.9.4 (64-bit version) and your BSA 1.88 with the fourth update.

Please could you tell me if some functionality of BSA is missing while I can use LOG_API32.DLL only? Or is there a way to get the 64-bit DLL working?

Thanks in advance and keep up the great work
best regards
Martin

Re: Buster Sandbox Analyzer

Posted: Tue May 06, 2014 12:01 pm
by Buster
SandyBox wrote:Now I gave Sandboxie with the collaboration of BSA another try.
The configuration with LOG_API32.DLL works fine. But the injection of LOG_API64.DLL doesn't work when starting Windows Explorer sandboxed. Windows Explorer seems to crash because WerFault.exe starts as a process in Sandboxie.
Also programs such as notepad.exe crash when I try to save a text-file to disk. In contrast cmd.exe seems to work with LOG_API64.DLL.

On my Windows 7 64-bit OS I have installed Sandboxie beta4.9.4 (64-bit version) and your BSA 1.88 with the fourth update.
Please install Sandboxie 3.76 and let me know if injection of LOG_API64.DLL crashes also Windows Explorer and notepad.exe.

We need to know if it is a problem in Sandboxie or in the DLL.
SandyBox wrote:Please could you tell me if some functionality of BSA is missing while I can use LOG_API32.DLL only?
You will not miss anything when you analyze 32 bit applications. If you analyze 64 bit applications they may crash, so you could not analyze them.

Re: Buster Sandbox Analyzer

Posted: Tue May 06, 2014 4:38 pm
by SandyBox
Hi Buster,

thank you for the quick reply.

So I reinstalled Sandboxie 3.76. But the problem persists. With injection of LOG_API64.DLL when I try opening Windows Explorer or saving a file in notepad the corresponding application crashes.

Do you have and idea how the cause of this problem could be localized? It would be great being able to analyze 64-bit programs.

By the way: Creating a text-file with Windows Explorer and using injection of LOG_API32.DLL results in a correct RegDiff-report. :D It's great but - what I don't understand - according to task-manager my Windows Explorer is 64-bit. :shock:
Edit: (censored) happens. At least that was the case in Sandboxie 4.9.4. Now even the injection of LOG_API32.DLL is prolematic. Now if BSA is loaded and analyzing a dialog box opens saying that access to destination folder was denied and clicking to continue with higher privileges doesn't work. What I have done wrong?

Thank you very much in advance and best regards
Martin

Re: Buster Sandbox Analyzer

Posted: Wed May 07, 2014 3:37 am
by Buster
I can reproduce the problem under Windows 7 64 bit. I will try to contact the person who wrote the DLL.

Re: Buster Sandbox Analyzer

Posted: Wed May 07, 2014 4:39 am
by SandyBox
Hi Buster,

it's a great pleasure to hear that you pay attention to the 64-bit injection.

And regarding the 32-bit injection: I identified the problem. The SandBoxie Folder (e.g. DefaultBox) has to be created by Sandboxie itself, not by BSA. So when starting an analysis the Sandbox must not be empty.
(Sandboxie runs as normal user whereas BSA runs with administrative privileges.)

I hope the problem regarding 64-bit can be sorted out in a little while.

best regards
Martin

Re: Buster Sandbox Analyzer

Posted: Wed May 07, 2014 6:53 am
by Buster
SandyBox wrote:I hope the problem regarding 64-bit can be sorted out in a little while.
I am afraid that will not happen. The person in charge of the DLL is not available at the moment.

Re: Buster Sandbox Analyzer

Posted: Mon May 19, 2014 6:02 am
by Buster
I have news about LOG_API64 problems.

After talking with the guy coding the dll and doing some tests we found Sandboxie version 4 (even version 4.10 RC) still has bugs in the dll injection mechanism. Injection mechanism works fine until version 3.76, but since version 4, even after the bug fixes done by Invincea team, is buggy.

When LOG_API64 hooks NTDLL/Kernel32 dlls in version 4 the problems appears. These problems are not present in Sandboxie 3.76.

Tests must be done with next version of LOG_API64 dll: http://www.woodmann.com/virusbuster/log_api64.rar

SandyBox: Please replace your log_api64.dll with that dll and make next test:

Install Sandboxie 3.76 and sandbox Windows Explorer and try saving a file in notepad. Do you see any problem?

Then install Sandboxie 4.10 RC beta version and do the same. Do you see any problem?

Come back and post what you see after doing tests, please.

Re: Buster Sandbox Analyzer

Posted: Mon May 19, 2014 6:32 am
by Buster
And the problem with Sandboxie 4.x versions does not stop there. I also noticed that the API used to exchange information between LOG_API and BSA is not working. I mean SendMessage API.

Sandboxie 3.76 64 bit and BSA works fine. API information is showed in BSA.

Sandboxie 4.10 RC and BSA don´t work. API information is missed by BSA.

Curt: Are you going to work to fix these problems?

Re: Buster Sandbox Analyzer

Posted: Sat Jun 14, 2014 6:26 pm
by Coldblackice
Buster wrote:And the problem with Sandboxie 4.x versions does not stop there. I also noticed that the API used to exchange information between LOG_API and BSA is not working. I mean SendMessage API.

Sandboxie 3.76 64 bit and BSA works fine. API information is showed in BSA.

Sandboxie 4.10 RC and BSA don´t work. API information is missed by BSA.

Curt: Are you going to work to fix these problems?
Would it be helpful if I did the tests that you mentioned above for SandyBox? Or is it a matter of waiting for Invincea to iron out the API issues first?

Re: Buster Sandbox Analyzer

Posted: Mon Jun 16, 2014 11:39 am
by Buster
Coldblackice wrote:Would it be helpful if I did the tests that you mentioned above for SandyBox? Or is it a matter of waiting for Invincea to iron out the API issues first?
Curt commented that the problem of communication (SendMessage API) and the issues between BSA and Sandboxie 4.x may be related so it is a matter of waiting for Invincea to find out what is going on.

Thanks anyway for offering your help to test!

Re: Buster Sandbox Analyzer

Posted: Wed Jun 18, 2014 1:54 pm
by Curt@invincea
I believe BSA will be back in business in the near future.

Re: Buster Sandbox Analyzer

Posted: Wed Jun 18, 2014 2:21 pm
by Buster
Curt: It would be nice if you post here your findings about the incompability issues you are finding.

Re: Buster Sandbox Analyzer

Posted: Mon Jun 23, 2014 2:22 am
by Coldblackice
Curt@invincea wrote:I believe BSA will be back in business in the near future.
Fantastic news! A number of colleagues will be elated to hear this.
Buster wrote:Curt: It would be nice if you post here your findings about the incompability issues you are finding.
Agreed -- this would be curiously helpful to know.

Re: Buster Sandbox Analyzer

Posted: Thu Jun 26, 2014 4:52 am
by Buster
Curt: In what are you working actually to get BSA in business?

I mean, what is necessary to change in Sandboxie to get BSA working fine?