Trust No Program

SandDiff

Utilities designed for use with Sandboxie

Postby Buster » Thu Sep 24, 2009 6:15 pm

Hi.

I just uploaded SandDiff 1.02. The URL is: http://sanddiff.qnea.de/sanddiff.rar

The changes I introduced are:

+ SandDiff performs a file modification checking so modificated files will be reported in FileDiff.TXT.

I didn´t explain it but in the reports (FileDiff, RegDiff, ...) there are 3 symbols initiating each line

"+" means that a file or registry entry was added.

"~" means that a file or registry entry was modified.

"-" means that a file or registry entry was removed.


+ I introduced a new button with the label "Meanwhile".

At the moment this button is used to capture a log of connections so SandDiff can compare opened ports.


+ I added a feature to easily recover already used sandbox folders.


+ The switch button of the viewer will change from File -> Registry -> Ports (if available) and then back to File again.


+ RegHive and RegHive.LOG are automatically discarded from file difference comparisions.


As usual I may miss something. Just try the new version and drop your comments.

Actually the TODO list contains:

+ Feature to exclude from differences user defined files, registry and maybe port values too.

+ Include a module that analyzes all the information obtained from comparisions and presents a malware
behaviour evaluation.
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby Buster » Fri Sep 25, 2009 10:33 pm

I have uploaded SandDiff 1.03.

Changes:

+ Certain files will be stored under a folder named "Config".

+ I added the exclusion list feature.

The user can define what strings must be discarded from difference files. String search is case-insensitive.


With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.

Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.

My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".

Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.

I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.

Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.

Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.

Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.

People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.

There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.

It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.

Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.

Meanwhile test as much as possible the current version and send your feedback!
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby wraithdu » Mon Oct 12, 2009 8:48 pm

I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.

Sandiff 1.03
Win7 Pro RTM 32-bit
wraithdu
 
Posts: 1410
Joined: Fri Jun 29, 2007 7:54 pm

Postby Buster » Mon Oct 12, 2009 11:23 pm

wraithdu wrote:I'm getting a very vague 'file access denied' error message from Sandiff trying to run Step 1. It happens in any sandbox, no programs running obviously.

Sandiff 1.03
Win7 Pro RTM 32-bit


Could you check with File Monitor what file is giving the error, please?
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby wraithdu » Tue Oct 13, 2009 3:43 am

Looks like I get an ACCESS DENIED error for 'C:\Windows\System32\NETSTAT.EXE' ... probably because it doesn't exist there on Win7. I have that file here:

C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7600.16385_none_329d49cdb031b824\NETSTAT.EXE

Code: Select all
370   9:38:47.4284740 PM   sanddiff.exe   908   CreateFile   C:\Windows\System32   SUCCESS   Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
371   9:38:47.4285282 PM   sanddiff.exe   908   QueryDirectory   C:\Windows\System32\netstat.exe   SUCCESS   Filter: netstat.exe, 1: NETSTAT.EXE
372   9:38:47.4285768 PM   sanddiff.exe   908   CloseFile   C:\Windows\System32   SUCCESS   
373   9:38:47.4294792 PM   sanddiff.exe   908   QueryOpen   C:\Windows\System32\NETSTAT.EXE   FAST IO DISALLOWED   
374   9:38:47.4295919 PM   sanddiff.exe   908   CreateFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
375   9:38:47.4297151 PM   sanddiff.exe   908   CreateFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
376   9:38:47.4298660 PM   sanddiff.exe   908   QueryFileInternalInformationFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   IndexNumber: 0x1000000004894
377   9:38:47.4298887 PM   sanddiff.exe   908   CloseFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   
378   9:38:47.4300612 PM   sanddiff.exe   908   QueryBasicInformationFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   CreationTime: 7/13/2009 6:55:12 PM, LastAccessTime: 7/13/2009 6:55:12 PM, LastWriteTime: 7/13/2009 8:14:27 PM, ChangeTime: 7/28/2009 3:33:19 PM, FileAttributes: A
379   9:38:47.4300766 PM   sanddiff.exe   908   CloseFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   
380   9:38:47.4302429 PM   sanddiff.exe   908   CreateFile   C:\Windows\System32\NETSTAT.EXE   ACCESS DENIED   Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a
381   9:38:47.4303495 PM   sanddiff.exe   908   CreateFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
382   9:38:47.4304819 PM   sanddiff.exe   908   QueryFileInternalInformationFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS   IndexNumber: 0x1000000004894
383   9:38:47.4305022 PM   sanddiff.exe   908   CloseFile   C:\Windows\System32\NETSTAT.EXE   SUCCESS
wraithdu
 
Posts: 1410
Joined: Fri Jun 29, 2007 7:54 pm

Postby Buster » Tue Oct 13, 2009 7:25 am

Thanks for the report. I will change it.

Edit: I just checked my Windows 7 and NETSTAT.EXE is in Windows\System32 folder.

The problem is that for a reason I don´t know, I can not call it directly from my program.

The workaround I did was to copy NETSTAT.EXE to SandDiff´s folder and execute it from there.
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby wraithdu » Tue Oct 13, 2009 5:27 pm

Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...

How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?
wraithdu
 
Posts: 1410
Joined: Fri Jun 29, 2007 7:54 pm

Postby Buster » Tue Oct 13, 2009 5:33 pm

wraithdu wrote:Sounds like it has to do with some kind of SideBySide installation. I don't know why netstat would be installed that way though...

How are you calling it from your program? CreateProcess? ShellExecute? Through cmd?


Don´t you have NETSTAT.EXE in your Windows\System32 folder?

I have it there and in the path you mentioned.

ShellExecute but the problem is that the file seems to be in use. :shock:
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby wraithdu » Tue Oct 13, 2009 6:50 pm

Hmm, weird. My file manager shows netstat in both System32 and that winsxs directory. However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.
wraithdu
 
Posts: 1410
Joined: Fri Jun 29, 2007 7:54 pm

Postby Buster » Tue Oct 13, 2009 7:00 pm

I installed Windows 7 just a few days ago and I didn´t have time yet to take a close look at it but it´s obvious that there are different things compared to XP. (I never wanted to try Vista)

When I try to open NETSTAT.EXE (both from systems32 and winsxs folders) I get in return a "file in use" but I can copy the file to other folder.

Meanwhile I don´t understand why it happens the workaround should work anyway.
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby Buster » Tue Oct 13, 2009 11:14 pm

wraithdu, I have uploaded a new version:

http://sanddiff.qnea.de/sanddiff.rar

Let me know if the bug is gone, please.
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby wraithdu » Tue Oct 13, 2009 11:25 pm

Sweet, works well.

What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?
wraithdu
 
Posts: 1410
Joined: Fri Jun 29, 2007 7:54 pm

Postby nick s » Tue Oct 13, 2009 11:48 pm

wraithdu wrote:However my search program Everything (www.voidtools.com) only shows the copy in the winsxs folder.

Using the latest Everything alpha build (1.2.1.432) here on Vista, it appears that Everything is ignoring the contents of \System32.

First edit: I reverted back to build 1.2.1.371 and get the same result.

Final edit: It turns out that C:\Windows\System32\netstat.exe is a hardlink...

Everything's developer wrote:Only the first hardlink of a file will be indexed and monitored.
Files that are not the first hardlink will not be indexed or monitored.

This is a limitation of the USN Change Journal.

I have plans to index all hard links in the future.
However, you will have to update the indexes manually as the USN Change Journal does not support hardlinks.
Last edited by nick s on Wed Oct 14, 2009 4:18 am, edited 3 times in total.
Nick
nick s
 
Posts: 353
Joined: Sat Dec 20, 2008 6:52 am

Postby Buster » Wed Oct 14, 2009 12:05 am

wraithdu wrote:Sweet, works well.

What is your command line for launching netstat? I'd like to test if I have the same problem as you. You said you used ShellExecute right?


netstat -ano

ShellExecute, right.

It´s something like this (Delphi code)

Code: Select all
     
     FillChar(SEInfo, SizeOf(SEInfo), 0) ;
     SEInfo.cbSize := SizeOf(TShellExecuteInfo) ;
     with SEInfo do
        begin
        fMask := SEE_MASK_NOCLOSEPROCESS;
        Wnd := Application.Handle;
        lpFile := PChar(ExecuteFile) ;
        lpParameters := PChar(Parameters);
        nShow := SW_NORMAL;
        end;
     if ShellExecuteEx(@SEInfo) then
        begin
        repeat
        Application.ProcessMessages;
        GetExitCodeProcess(SEInfo.hProcess, ExitCode) ;
        until (ExitCode <> STILL_ACTIVE) or Application.Terminated;
        end;
Buster
 
Posts: 2364
Joined: Mon Aug 06, 2007 7:38 pm

Postby wraithdu » Wed Oct 14, 2009 4:19 am

Is it a security rights issue maybe? Is your app running in a lowered rights mode of sorts so that it can't run apps in system directories?
wraithdu
 
Posts: 1410
Joined: Fri Jun 29, 2007 7:54 pm

PreviousNext

Return to Contributed Utilities

Who is online

Users browsing this forum: No registered users and 0 guests