[Buster_BSA]

Cute! Thanks for your support.
By the way can you include sbiextra functionality in your injected log_api.dll? Looks like no one will continue to support sbiextra, but simetimes investigating new malware requires full isolation from the host. We have discussed it a few posts earlier.

wraithdu will not discontinue sbiextra.

The next moment is port and connection logging. According to my logs there are all connections including the ones belong to host, not sandbox. It is quite hard to stop network activity on host system just to analyze network activity of sandboxed applications. Is it possible to filter it in some way? Or the only solution is to shutdown all applications at host and carefully adjust port exclusion list?

I don´t know how to filter UDP connections but TCP connections only belong to sandboxed processes. That´s it since version 1.19 if I remember correctly.

[gjf]

wraithdu will not discontinue sbiextra.

But he thinks there is some conflict between injected dlls. I have tested sandbox with only two injected ls: from BSA and from sbiextra. And again sbiextra did not work properly.

You know the code in BSA, so possibly you can answer on wraithdu's assumption:

It could be one of the other dlls is hooking the same function(s) and is not coded correctly

[Buster_BSA]

But I don´t know wraithdu´s code so I don´t know where is the conflict.

According to my logs there are all connections including the ones belong to host, not sandbox.

Could you confirm that problem?

[gjf]

But I don´t know wraithdu´s code so I don´t know where is the conflict.

This is accomplished by hooking several API functions:

- NtOpenProcess
- NtQuerySystemInformation
- NtReadVirtualMemory
- CreateToolhelp32Snapshot
- BlockInput
- InternalGetWindowText
- GetWindowTextA/W
- SendMessageA/W
> WM_GETTEXT

Do you hook some of them in BSA?

According to my logs there are all connections including the ones belong to host, not sandbox.

Could you confirm that problem?

Yes, I can. I see connection not only from sandboxed process, but from uTorrent at host machine in the logs too.
Let me know if you need an example of such logs.

[Buster_BSA]

But I don´t know wraithdu´s code so I don´t know where is the conflict.

This is accomplished by hooking several API functions:

- NtOpenProcess
- NtQuerySystemInformation
- NtReadVirtualMemory
- CreateToolhelp32Snapshot
- BlockInput
- InternalGetWindowText
- GetWindowTextA/W
- SendMessageA/W
> WM_GETTEXT

Do you hook some of them in BSA?

Yeah, I hook almost all entries from the list. That´s probably the reason of the crash.

Yes, I can. I see connection not only from sandboxed process, but from uTorrent at host machine in the logs too. Let me know if you need an example of such logs.

Send me screenshots from "Viewer > View Packets", please.

[gjf]

Yeah, I hook almost all entries from the list. That´s probably the reason of the crash.

That's why I am asking you about merging sbiextra functionality with BSA. Could you do it as an option please?

Send me screenshots from "Viewer > View Packets", please.

I didn't find such tab so I believe you mean "View PortDiff". The log is attached.

PortDiff.zip

(579 Bytes) Downloaded 28 times

I have sandboxed notepad.exe so you can see connections those belongs to the host only :)

[Buster_BSA]

Yeah, I hook almost all entries from the list. That´s probably the reason of the crash.

That's why I am asking you about merging sbiextra functionality with BSA. Could you do it as an option please?

I don´t have sbiextra source code.

Send me screenshots from "Viewer > View Packets", please.

I didn't find such tab so I believe you mean "View PortDiff". The log is attached.

PortDiff.zip

I have sandboxed notepad.exe so you can see connections those belongs to the host only :)

I see the problem. In PortDiff connections from sandboxed and unsandboxed programs are showed. Now that you comment it that´s something I should change.

"View Packets" appear after analyzing a sandboxed program that connects to internet. Also you must have the packet sniffer properly configured.

[gjf]

I don´t have sbiextra source code.

If you will obtain it - will you include it in your product (with possibly some credits to wraithdu in release info?

I see the problem. In PortDiff connections from sandboxed and unsandboxed programs are showed. Now that you comment it that´s something I should change.

"View Packets" appear after analyzing a sandboxed program that connects to internet. Also you must have the packet sniffer properly configured.

So - should I send you screenshots now or provided information is quite enough?

[Buster_BSA]

If you will obtain it - will you include it in your product (with possibly some credits to wraithdu in release info?

I will think about it.

So - should I send you screenshots now or provided information is quite enough?

It´s enough. Having packet sniffer "Check ports" feature (PortDiffs.TXT) is obsolete so I will remove it on next release.

[Buster_BSA]

wraithdu is helping to solve the problem chaining multiple DLLs:

http://sandboxie.com/phpbb/viewtopic.php?t=8047