Buster Sandbox Analyzer

Utilities designed for use with Sandboxie
Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Sun May 04, 2014 7:06 pm

Anyone up to collect executables containing misleading icons?

SandyBox
Posts: 8
Joined: Tue Jul 02, 2013 3:27 pm

Re: Buster Sandbox Analyzer

Post by SandyBox » Tue May 06, 2014 10:50 am

Hi Buster,

glad to hear that you resumed your Analyzer project.

Now I gave Sandboxie with the collaboration of BSA another try.
The configuration with LOG_API32.DLL works fine. But the injection of LOG_API64.DLL doesn't work when starting Windows Explorer sandboxed. Windows Explorer seems to crash because WerFault.exe starts as a process in Sandboxie.
Also programs such as notepad.exe crash when I try to save a text-file to disk. In contrast cmd.exe seems to work with LOG_API64.DLL.

On my Windows 7 64-bit OS I have installed Sandboxie beta4.9.4 (64-bit version) and your BSA 1.88 with the fourth update.

Please could you tell me if some functionality of BSA is missing while I can use LOG_API32.DLL only? Or is there a way to get the 64-bit DLL working?

Thanks in advance and keep up the great work
best regards
Martin

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Tue May 06, 2014 12:01 pm

SandyBox wrote:Now I gave Sandboxie with the collaboration of BSA another try.
The configuration with LOG_API32.DLL works fine. But the injection of LOG_API64.DLL doesn't work when starting Windows Explorer sandboxed. Windows Explorer seems to crash because WerFault.exe starts as a process in Sandboxie.
Also programs such as notepad.exe crash when I try to save a text-file to disk. In contrast cmd.exe seems to work with LOG_API64.DLL.

On my Windows 7 64-bit OS I have installed Sandboxie beta4.9.4 (64-bit version) and your BSA 1.88 with the fourth update.
Please install Sandboxie 3.76 and let me know if injection of LOG_API64.DLL crashes also Windows Explorer and notepad.exe.

We need to know if it is a problem in Sandboxie or in the DLL.
SandyBox wrote:Please could you tell me if some functionality of BSA is missing while I can use LOG_API32.DLL only?
You will not miss anything when you analyze 32 bit applications. If you analyze 64 bit applications they may crash, so you could not analyze them.

SandyBox
Posts: 8
Joined: Tue Jul 02, 2013 3:27 pm

Re: Buster Sandbox Analyzer

Post by SandyBox » Tue May 06, 2014 4:38 pm

Hi Buster,

thank you for the quick reply.

So I reinstalled Sandboxie 3.76. But the problem persists. With injection of LOG_API64.DLL when I try opening Windows Explorer or saving a file in notepad the corresponding application crashes.

Do you have and idea how the cause of this problem could be localized? It would be great being able to analyze 64-bit programs.

By the way: Creating a text-file with Windows Explorer and using injection of LOG_API32.DLL results in a correct RegDiff-report. :D It's great but - what I don't understand - according to task-manager my Windows Explorer is 64-bit. :shock:
Edit: (censored) happens. At least that was the case in Sandboxie 4.9.4. Now even the injection of LOG_API32.DLL is prolematic. Now if BSA is loaded and analyzing a dialog box opens saying that access to destination folder was denied and clicking to continue with higher privileges doesn't work. What I have done wrong?

Thank you very much in advance and best regards
Martin

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Wed May 07, 2014 3:37 am

I can reproduce the problem under Windows 7 64 bit. I will try to contact the person who wrote the DLL.

SandyBox
Posts: 8
Joined: Tue Jul 02, 2013 3:27 pm

Re: Buster Sandbox Analyzer

Post by SandyBox » Wed May 07, 2014 4:39 am

Hi Buster,

it's a great pleasure to hear that you pay attention to the 64-bit injection.

And regarding the 32-bit injection: I identified the problem. The SandBoxie Folder (e.g. DefaultBox) has to be created by Sandboxie itself, not by BSA. So when starting an analysis the Sandbox must not be empty.
(Sandboxie runs as normal user whereas BSA runs with administrative privileges.)

I hope the problem regarding 64-bit can be sorted out in a little while.

best regards
Martin

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Wed May 07, 2014 6:53 am

SandyBox wrote:I hope the problem regarding 64-bit can be sorted out in a little while.
I am afraid that will not happen. The person in charge of the DLL is not available at the moment.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Mon May 19, 2014 6:02 am

I have news about LOG_API64 problems.

After talking with the guy coding the dll and doing some tests we found Sandboxie version 4 (even version 4.10 RC) still has bugs in the dll injection mechanism. Injection mechanism works fine until version 3.76, but since version 4, even after the bug fixes done by Invincea team, is buggy.

When LOG_API64 hooks NTDLL/Kernel32 dlls in version 4 the problems appears. These problems are not present in Sandboxie 3.76.

Tests must be done with next version of LOG_API64 dll: http://www.woodmann.com/virusbuster/log_api64.rar

SandyBox: Please replace your log_api64.dll with that dll and make next test:

Install Sandboxie 3.76 and sandbox Windows Explorer and try saving a file in notepad. Do you see any problem?

Then install Sandboxie 4.10 RC beta version and do the same. Do you see any problem?

Come back and post what you see after doing tests, please.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Mon May 19, 2014 6:32 am

And the problem with Sandboxie 4.x versions does not stop there. I also noticed that the API used to exchange information between LOG_API and BSA is not working. I mean SendMessage API.

Sandboxie 3.76 64 bit and BSA works fine. API information is showed in BSA.

Sandboxie 4.10 RC and BSA don´t work. API information is missed by BSA.

Curt: Are you going to work to fix these problems?

Coldblackice
Posts: 5
Joined: Sat Feb 22, 2014 3:52 am

Re: Buster Sandbox Analyzer

Post by Coldblackice » Sat Jun 14, 2014 6:26 pm

Buster wrote:And the problem with Sandboxie 4.x versions does not stop there. I also noticed that the API used to exchange information between LOG_API and BSA is not working. I mean SendMessage API.

Sandboxie 3.76 64 bit and BSA works fine. API information is showed in BSA.

Sandboxie 4.10 RC and BSA don´t work. API information is missed by BSA.

Curt: Are you going to work to fix these problems?
Would it be helpful if I did the tests that you mentioned above for SandyBox? Or is it a matter of waiting for Invincea to iron out the API issues first?

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Mon Jun 16, 2014 11:39 am

Coldblackice wrote:Would it be helpful if I did the tests that you mentioned above for SandyBox? Or is it a matter of waiting for Invincea to iron out the API issues first?
Curt commented that the problem of communication (SendMessage API) and the issues between BSA and Sandboxie 4.x may be related so it is a matter of waiting for Invincea to find out what is going on.

Thanks anyway for offering your help to test!

Curt@invincea
Sandboxie Lead Developer
Sandboxie Lead Developer
Posts: 1661
Joined: Fri Jan 17, 2014 5:21 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Curt@invincea » Wed Jun 18, 2014 1:54 pm

I believe BSA will be back in business in the near future.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Wed Jun 18, 2014 2:21 pm

Curt: It would be nice if you post here your findings about the incompability issues you are finding.

Coldblackice
Posts: 5
Joined: Sat Feb 22, 2014 3:52 am

Re: Buster Sandbox Analyzer

Post by Coldblackice » Mon Jun 23, 2014 2:22 am

Curt@invincea wrote:I believe BSA will be back in business in the near future.
Fantastic news! A number of colleagues will be elated to hear this.
Buster wrote:Curt: It would be nice if you post here your findings about the incompability issues you are finding.
Agreed -- this would be curiously helpful to know.

Buster
Posts: 2576
Joined: Mon Aug 06, 2007 2:38 pm
Contact:

Re: Buster Sandbox Analyzer

Post by Buster » Thu Jun 26, 2014 4:52 am

Curt: In what are you working actually to get BSA in business?

I mean, what is necessary to change in Sandboxie to get BSA working fine?

Locked

Who is online

Users browsing this forum: No registered users and 1 guest