Trust No Program

SandboxDiff - Registry/Files changes

Utilities designed for use with Sandboxie

SandboxDiff - Registry/Files changes

Postby majoMo » Mon Jul 07, 2008 12:10 am

To tracking changes in registry and files with Sandboxie I tried to use applications like ZSoft Uninstaller (an excellent uninstaller), Regshot, System Explorer and InCtrl5 (all sandboxed). Without sucess - looping issue. I read some forum'administrator posts about, that allowed myself to do and try a utility.

I'm now using SandboxDiff to do that. How to use it?

Prior to install a program sandboxed:

1- Open 'UserPath.bat.txt'and inside it customizes only the path (RegHive path)
to something like: "C:\Sandbox\<YourUserName>\DefaultBox\RegHive".
2- Rename 'UserPath.bat.txt' to 'UserPath.bat'
3- Run 'SandboxDiff.exe' - not sandboxed.

At the end the user can to see the changes made by the application sandboxed in the files:

- Registry changes:

Comp-Reg.txt - lists registry changes (values only) in text format.
Comp-Reg.REG.txt - lists registry changes (keys and values) in .reg format (Windows Registry Editor Version 5.00).
Comp-Reg.html - lists all registry entries (values) sandboxed in text/html format (and the registry values changes).

- Files changes:

Comp-Files.txt - lists added/removed files.
Comp-FilesMOD.txt - lists added/removed files - and modified files (based in size and date/time).
Comp-Files.html - lists all files in sandbox folder - and added/removed files.

Some Sandboxie'users in the forum have asked how to check the changes made by an installation sandboxed. They can try to use SandboxDiff to do that.

Hoping for it will be useful to someone else that likes to use the excellent Sandboxie.

Some Anti Virus can detect 'SandboxDiff.exe' as suspicious. It is a false positive. SandboxDiff hasn't any harmful activity.

Regards.

SandboxDiff v. 2.3 - DOWNLOAD - MD5: AF33F8578978CCE2885505F7109D39F1
Last edited by majoMo on Fri Jun 03, 2011 3:48 pm, edited 28 times in total.
majoMo
 
Posts: 13
Joined: Mon Jun 30, 2008 11:18 pm

Postby MitchE323 » Mon Jul 07, 2008 1:27 am

Very nice, :arrow: works just as described. :D Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?
MitchE323
 
Posts: 2268
Joined: Thu Nov 02, 2006 3:32 pm

Postby Oneder » Mon Jul 07, 2008 2:43 am

Getting a blank page here when trying to get the download atm.
Oneder
 
Posts: 364
Joined: Tue Aug 30, 2005 1:19 pm
Location: Perth,West Oz

Postby majoMo » Tue Jul 08, 2008 1:00 am

MitchE323 wrote:Just one question, what is the differance between SandboxDiff.exe & SandboxDiff2.exe (which also comes in the download) ?

The difference between them is the registry changes view. That is to say the files "comp-hklm.txt" and "comp-hkcu.txt" in "SandboxDiff2.exe" isn't like with "SandboxDiff.exe". The output is different - but interesting the shape. The comparing process is a bit more delayed also.

The user can use each other - a user choice...

I am glad to know it's useful for someone else than me. :D

Oneder wrote:Getting a blank page here when trying to get the download atm.

You can try to copy the link in your browser' adress bar and click enter. Perhaps this help:
Code: Select all
http://www.adrive.com/public/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html
OR
http://www.adrive.com/public/view/93645a7b597c8dbe3df59ebabacb47d3e0280a8972de7a98c739b014df4aa1b0.html
majoMo
 
Posts: 13
Joined: Mon Jun 30, 2008 11:18 pm

Postby GreyWolf » Tue Jul 15, 2008 12:07 am

Very Nice Program... and considering working via a dos interface for most commands definitely the best way to go without influencing the output.

Great Job.

GreyWolf
GreyWolf
 
Posts: 28
Joined: Fri Jun 20, 2008 10:32 am
Location: Montreal, Qc.

Postby Guest10 » Sat Sep 13, 2008 8:31 pm

@majoMo:

The most recent data files for Norton A/V 2008 have apparently decided that SandboxDiff2.exe contains a Trojan Horse, and automatically deleted it from the Windows Explorer window, when I opened the folder containing that file.
I've submitted the file to Symantec, since I'm sure that it's a false positive.

Just thought I'd let you know. You may have others report this too.
Paul
XP Pro SP3 (Admin), Zone Alarm Pro Firewall, Malwarebytes Pro, Firefox 33, Thunderbird 31.
Sandboxie user since March 2007.
Guest10
 
Posts: 4862
Joined: Sun Apr 27, 2008 10:24 pm
Location: Ohio, USA

Postby SandboxDiff » Thu Oct 02, 2008 2:11 am

Can we get a repost of this? It would be very useful.

Thanks!
SandboxDiff
 

Postby SnDPhoenix » Thu Oct 02, 2008 3:55 am

Well you're in luck, I looked in my download folder and I still have SandboxDiff archive on my HDD, so I just uploaded it to my premium zone in Rapidshare (faster and reliable since you know Rapidshare will still be there tomorrow) so here you go.
http://rapidshare.com/files/150141933/SandboxDiff.rar

Btw, just as Guest10 mentioned above, yes this file does seemed to be tagged as infected with some kind of trojan, but I think it might be a false positive. I think the reason it says there is a trojan, is because the executable file actually has a couple other exe files embedded inside, so the A/Vs might be mistaking that packing technique as the file being a virus (since many viruses bind/pack many exe files together...).

Either way, I'd still say you're safe though since the tool is meant to be run sandboxed, so even if it is infected, it is sandboxed! :P
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Postby majoMo » Thu Oct 02, 2008 5:06 pm

Some AV look SandboxDiff like trojan. SnDPhoenix describes a reason; UPX compression is disliked for others AV also. SandboxDiff hasn't any harmful activity. It's a false positive.

SandboxDiff will be updated as soon as possible. In fact there are some annoyances that need to be corrected. An accurate rendering is crucial. Changes in hive file will be efective; files changes will not log "virtual" files anymore. The .exe file will be replaced by an.bat file.
majoMo
 
Posts: 13
Joined: Mon Jun 30, 2008 11:18 pm

Postby majoMo » Sun Oct 05, 2008 12:14 am

SandboxDiff updated.

Changes:

- "SandboxDiff.rar" must be extracted to Sandbox'folder where the "RegHive" file is.
- Now runs as .bat: "SandboxDiff.bat" - not sandboxed.
- While Sandboxie has applications running "RegHive" file can't be analyzed. It's why is needed "terminate all programs that are Sandboxed". SandboxDiff tell you when such action must be done.
- Changes (in Registry and Files) are saved in .txt and .html format. Output is accurate.
- The analyze'process is now noticeably faster.

Download and info in first post.
majoMo
 
Posts: 13
Joined: Mon Jun 30, 2008 11:18 pm

Postby Casey44 » Wed Oct 22, 2008 1:39 am

majoMo,
Seems like a great addition! I tried it out, but ran into a problem :oops:

UnRARred files in ...\Defaultbox.
But HOW do I start "SandboxDiff.bat" not-sandboxed? As instructed.

Whatever I try, I get it in a Sandbox-window, with the [#] markings.

Maybe because of that (?), I get the errormessage:

[...]
- Analyzing Registry and Files . . .
Please wait . . . (DON'T CLOSE THE WINDOW)
Het systeem kan het opgegeven pad niet vinden.
Kan G:\Sandbox\Kees\DefaultBox\hive_2.bak niet vinden

translated from dutch:
The system can not find the specified path.
Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak.

Please help me on,
Casey
Casey44
 
Posts: 4
Joined: Tue Oct 21, 2008 10:44 pm

Same Problem

Postby George » Wed Oct 22, 2008 6:05 am

I'm having the same problem as casey.

Thanks for your help!
George
 

Postby George » Wed Oct 22, 2008 6:13 am

Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\.

HOWEVER, running ANYTHING inside \DefaultBox\ will run it in sandbox mode.

Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly.

Maybe this can be fixed by re-designing the batch file to be run at C:\ instead.
George
 

Postby SnDPhoenix » Wed Oct 22, 2008 4:47 pm

George wrote:Therefore SandboxDiff.bat is run in sandbox mode, and cannot run properly.

Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?
SnDPhoenix
 
Posts: 2690
Joined: Tue Dec 26, 2006 11:44 pm
Location: West Florida

Postby majoMo » Thu Oct 23, 2008 4:59 am

SnDPhoenix wrote:Err, if I am not mistaken, isn't only exe files forced sandboxed if they reside in the sandbox folder, I dont think the same rules apply to .bat files in the sandbox, could be wrong...?

Exactly like that, SnDPhoenix. If a .bat file is opened in that folder it isn't sandboxed (like a .txt file e.g. also). This is the reason why "SandboxDiff" is a .bat file now - if it was a .exe file the output won't be accurate and effective.

Casey44 wrote:Whatever I try, I get it in a Sandbox-window, with the [#] markings.

Casey44, if you open "SandboxDiff.bat" (double click e.g.) in your "G:\Sandbox\Kees\DefaultBox" the SandboxDiff.bat window (cmd) runs not sandboxed (like if you open there a .txt file; try it also).

Casey44 wrote:Maybe because of that (?), I get the errormessage:
The system can not find the specified path.
Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak.

George wrote:I'm having the same problem as casey.
Note that the problem is most likely because SandboxDiff.bat is designed to run inside \DefaultBox\.

Casey and George,

1. SandboxDiff.bat must to be executed in that folder (with the others files that are in the "SandboDiff.rar"). If not the output won't be accurate anymore.

2. Why the annoyance "Cannot find G:\Sandbox\Kees\DefaultBox\hive_2.bak" about? If you run "SandboxDiff.bat" inside \DefaultBox\ you need to confirm that 1) you have there the RegHive file; 2) you need to TERMINATE ALL PROGRAMS sandboxed when requested by SandboxDiff'windows. Without this SandboxDiff can't do their work, because it can't analyze (if you don't terminate the programs the crucial RegHive file is locked: can't be analyzed).

Hoping for help to clarify the question. Your feedback is much appreciated. Thanks.

BTW, it will be available in the next SandboxDiff update the registry changes in .REG format (Windows Registry Editor Version 5.00).
majoMo
 
Posts: 13
Joined: Mon Jun 30, 2008 11:18 pm

Next

Return to Contributed Utilities

Who is online

Users browsing this forum: No registered users and 0 guests

cron