A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1121  by Buster_BSA
 Tue May 18, 2010 9:44 pm
gjf wrote:Cute! Thanks for your support.
By the way can you include sbiextra functionality in your injected log_api.dll? Looks like no one will continue to support sbiextra, but simetimes investigating new malware requires full isolation from the host. We have discussed it a few posts earlier.
wraithdu will not discontinue sbiextra.
gjf wrote:The next moment is port and connection logging. According to my logs there are all connections including the ones belong to host, not sandbox. It is quite hard to stop network activity on host system just to analyze network activity of sandboxed applications. Is it possible to filter it in some way? Or the only solution is to shutdown all applications at host and carefully adjust port exclusion list?
I don´t know how to filter UDP connections but TCP connections only belong to sandboxed processes. That´s it since version 1.19 if I remember correctly.
 #1132  by gjf
 Thu May 20, 2010 3:02 pm
Buster_BSA wrote:wraithdu will not discontinue sbiextra.
But he thinks there is some conflict between injected dlls. I have tested sandbox with only two injected ls: from BSA and from sbiextra. And again sbiextra did not work properly.

You know the code in BSA, so possibly you can answer on wraithdu's assumption:
It could be one of the other dlls is hooking the same function(s) and is not coded correctly
 #1133  by Buster_BSA
 Thu May 20, 2010 3:44 pm
But I don´t know wraithdu´s code so I don´t know where is the conflict.
According to my logs there are all connections including the ones belong to host, not sandbox.
Could you confirm that problem?
 #1134  by gjf
 Thu May 20, 2010 5:22 pm
Buster_BSA wrote:But I don´t know wraithdu´s code so I don´t know where is the conflict.
This is accomplished by hooking several API functions:

- NtOpenProcess
- NtQuerySystemInformation
- NtReadVirtualMemory
- CreateToolhelp32Snapshot
- BlockInput
- InternalGetWindowText
- GetWindowTextA/W
- SendMessageA/W
> WM_GETTEXT
Do you hook some of them in BSA?
Buster_BSA wrote:
According to my logs there are all connections including the ones belong to host, not sandbox.
Could you confirm that problem?
Yes, I can. I see connection not only from sandboxed process, but from uTorrent at host machine in the logs too.
Let me know if you need an example of such logs.
 #1135  by Buster_BSA
 Thu May 20, 2010 5:50 pm
gjf wrote:
Buster_BSA wrote:But I don´t know wraithdu´s code so I don´t know where is the conflict.
This is accomplished by hooking several API functions:

- NtOpenProcess
- NtQuerySystemInformation
- NtReadVirtualMemory
- CreateToolhelp32Snapshot
- BlockInput
- InternalGetWindowText
- GetWindowTextA/W
- SendMessageA/W
> WM_GETTEXT
Do you hook some of them in BSA?
Yeah, I hook almost all entries from the list. That´s probably the reason of the crash.
gjf wrote:Yes, I can. I see connection not only from sandboxed process, but from uTorrent at host machine in the logs too. Let me know if you need an example of such logs.
Send me screenshots from "Viewer > View Packets", please.
 #1136  by gjf
 Thu May 20, 2010 6:24 pm
Buster_BSA wrote: Yeah, I hook almost all entries from the list. That´s probably the reason of the crash.
That's why I am asking you about merging sbiextra functionality with BSA. Could you do it as an option please?
Buster_BSA wrote: Send me screenshots from "Viewer > View Packets", please.
I didn't find such tab so I believe you mean "View PortDiff". The log is attached.
(579 Bytes) Downloaded 28 times
I have sandboxed notepad.exe so you can see connections those belongs to the host only :)
 #1141  by Buster_BSA
 Fri May 21, 2010 6:27 am
gjf wrote:
Buster_BSA wrote: Yeah, I hook almost all entries from the list. That´s probably the reason of the crash.
That's why I am asking you about merging sbiextra functionality with BSA. Could you do it as an option please?
I don´t have sbiextra source code.
gjf wrote:
Buster_BSA wrote: Send me screenshots from "Viewer > View Packets", please.
I didn't find such tab so I believe you mean "View PortDiff". The log is attached.
PortDiff.zip
I have sandboxed notepad.exe so you can see connections those belongs to the host only :)
I see the problem. In PortDiff connections from sandboxed and unsandboxed programs are showed. Now that you comment it that´s something I should change.

"View Packets" appear after analyzing a sandboxed program that connects to internet. Also you must have the packet sniffer properly configured.
 #1142  by gjf
 Fri May 21, 2010 7:29 am
Buster_BSA wrote:I don´t have sbiextra source code.
If you will obtain it - will you include it in your product (with possibly some credits to wraithdu in release info?
gjf wrote: I see the problem. In PortDiff connections from sandboxed and unsandboxed programs are showed. Now that you comment it that´s something I should change.

"View Packets" appear after analyzing a sandboxed program that connects to internet. Also you must have the packet sniffer properly configured.
So - should I send you screenshots now or provided information is quite enough?
 #1144  by Buster_BSA
 Fri May 21, 2010 10:54 am
gjf wrote:If you will obtain it - will you include it in your product (with possibly some credits to wraithdu in release info?
I will think about it.
gjf wrote:So - should I send you screenshots now or provided information is quite enough?
It´s enough. Having packet sniffer "Check ports" feature (PortDiffs.TXT) is obsolete so I will remove it on next release.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 32