Buster Sandbox Analyzer

[Buster]

Anyone up to collect executables containing misleading icons?

[SandyBox]

Hi Buster,

glad to hear that you resumed your Analyzer project.

Now I gave Sandboxie with the collaboration of BSA another try.
The configuration with LOG_API32.DLL works fine. But the injection of LOG_API64.DLL doesn't work when starting Windows Explorer sandboxed. Windows Explorer seems to crash because WerFault.exe starts as a process in Sandboxie.
Also programs such as notepad.exe crash when I try to save a text-file to disk. In contrast cmd.exe seems to work with LOG_API64.DLL.

On my Windows 7 64-bit OS I have installed Sandboxie beta4.9.4 (64-bit version) and your BSA 1.88 with the fourth update.

Please could you tell me if some functionality of BSA is missing while I can use LOG_API32.DLL only? Or is there a way to get the 64-bit DLL working?

Thanks in advance and keep up the great work
best regards
Martin

[Buster]

Now I gave Sandboxie with the collaboration of BSA another try.
The configuration with LOG_API32.DLL works fine. But the injection of LOG_API64.DLL doesn't work when starting Windows Explorer sandboxed. Windows Explorer seems to crash because WerFault.exe starts as a process in Sandboxie.
Also programs such as notepad.exe crash when I try to save a text-file to disk. In contrast cmd.exe seems to work with LOG_API64.DLL.

On my Windows 7 64-bit OS I have installed Sandboxie beta4.9.4 (64-bit version) and your BSA 1.88 with the fourth update.

Please install Sandboxie 3.76 and let me know if injection of LOG_API64.DLL crashes also Windows Explorer and notepad.exe.

We need to know if it is a problem in Sandboxie or in the DLL.

Please could you tell me if some functionality of BSA is missing while I can use LOG_API32.DLL only?

You will not miss anything when you analyze 32 bit applications. If you analyze 64 bit applications they may crash, so you could not analyze them.

[SandyBox]

Hi Buster,

thank you for the quick reply.

So I reinstalled Sandboxie 3.76. But the problem persists. With injection of LOG_API64.DLL when I try opening Windows Explorer or saving a file in notepad the corresponding application crashes.

Do you have and idea how the cause of this problem could be localized? It would be great being able to analyze 64-bit programs.

By the way: Creating a text-file with Windows Explorer and using injection of LOG_API32.DLL results in a correct RegDiff-report. It's great but - what I don't understand - according to task-manager my Windows Explorer is 64-bit.
Edit: (censored) happens. At least that was the case in Sandboxie 4.9.4. Now even the injection of LOG_API32.DLL is prolematic. Now if BSA is loaded and analyzing a dialog box opens saying that access to destination folder was denied and clicking to continue with higher privileges doesn't work. What I have done wrong?

Thank you very much in advance and best regards
Martin

[Buster]

I can reproduce the problem under Windows 7 64 bit. I will try to contact the person who wrote the DLL.

[SandyBox]

Hi Buster,

it's a great pleasure to hear that you pay attention to the 64-bit injection.

And regarding the 32-bit injection: I identified the problem. The SandBoxie Folder (e.g. DefaultBox) has to be created by Sandboxie itself, not by BSA. So when starting an analysis the Sandbox must not be empty.
(Sandboxie runs as normal user whereas BSA runs with administrative privileges.)

I hope the problem regarding 64-bit can be sorted out in a little while.

best regards
Martin

[Buster]

I hope the problem regarding 64-bit can be sorted out in a little while.

I am afraid that will not happen. The person in charge of the DLL is not available at the moment.

[Buster]

I have news about LOG_API64 problems.

After talking with the guy coding the dll and doing some tests we found Sandboxie version 4 (even version 4.10 RC) still has bugs in the dll injection mechanism. Injection mechanism works fine until version 3.76, but since version 4, even after the bug fixes done by Invincea team, is buggy.

When LOG_API64 hooks NTDLL/Kernel32 dlls in version 4 the problems appears. These problems are not present in Sandboxie 3.76.

Tests must be done with next version of LOG_API64 dll: http://www.woodmann.com/virusbuster/log_api64.rar

SandyBox: Please replace your log_api64.dll with that dll and make next test:

Install Sandboxie 3.76 and sandbox Windows Explorer and try saving a file in notepad. Do you see any problem?

Then install Sandboxie 4.10 RC beta version and do the same. Do you see any problem?

Come back and post what you see after doing tests, please.

[Buster]

And the problem with Sandboxie 4.x versions does not stop there. I also noticed that the API used to exchange information between LOG_API and BSA is not working. I mean SendMessage API.

Sandboxie 3.76 64 bit and BSA works fine. API information is showed in BSA.

Sandboxie 4.10 RC and BSA don´t work. API information is missed by BSA.

Curt: Are you going to work to fix these problems?

[Coldblackice]

And the problem with Sandboxie 4.x versions does not stop there. I also noticed that the API used to exchange information between LOG_API and BSA is not working. I mean SendMessage API.

Sandboxie 3.76 64 bit and BSA works fine. API information is showed in BSA.

Sandboxie 4.10 RC and BSA don´t work. API information is missed by BSA.

Curt: Are you going to work to fix these problems?

Would it be helpful if I did the tests that you mentioned above for SandyBox? Or is it a matter of waiting for Invincea to iron out the API issues first?

[Buster]

Would it be helpful if I did the tests that you mentioned above for SandyBox? Or is it a matter of waiting for Invincea to iron out the API issues first?

Curt commented that the problem of communication (SendMessage API) and the issues between BSA and Sandboxie 4.x may be related so it is a matter of waiting for Invincea to find out what is going on.

Thanks anyway for offering your help to test!

[Curt@invincea]

I believe BSA will be back in business in the near future.

[Buster]

Curt: It would be nice if you post here your findings about the incompability issues you are finding.

[Coldblackice]

I believe BSA will be back in business in the near future.

Fantastic news! A number of colleagues will be elated to hear this.

Curt: It would be nice if you post here your findings about the incompability issues you are finding.

Agreed -- this would be curiously helpful to know.

[Buster]

Curt: In what are you working actually to get BSA in business?

I mean, what is necessary to change in Sandboxie to get BSA working fine?