[listito]

hey buster, congratz, nice tool, i'd like to know what type of hook you use to monitor the programs?

[Buster_BSA]

hey buster, congratz, nice tool, i'd like to know what type of hook you use to monitor the programs?

Buster Sandbox Analyzer uses Sandboxie´s facilities to monitor the programs :

* File modifications are checked over sandbox folder.
* Registy modifications are checked over the RegHive file created by Sandboxie
* Processes are monitored using a DLL injected using Sandboxie´s injection mechanism (InjectDll in SANDBOXIE.INI)

[listito]

buster, my .exe calls writeprocessmemory 4 times, your tool only shows it is called 1 time, is it normal?

[Buster_BSA]

buster, my .exe calls writeprocessmemory 4 times, your tool only shows it is called 1 time, is it normal?

It could be normal, yes. I coded BSA in a way that it doesn´t show repeated API calls in a row.

Let´s say a program does:

GetModuleHandle(x)
WriteProcessMemory(y)
GetModuleHandle(x)
WriteProcessMemory(y)

That´s what BSA would show.

Now let´s say a program does:

GetModuleHandle(x)
GetModuleHandle(x)
WriteProcessMemory(y)
WriteProcessMemory(y)

BSA will show:

GetModuleHandle(x)
WriteProcessMemory(y)

Only if the string between "()" is different, BSA will show repeated APIs. Example:

GetModuleHandle(x)
GetModuleHandle(y)
WriteProcessMemory(x)
WriteProcessMemory(y)

I coded BSA in that way because from a behavioural point of view it doesn´t matter how many times in a row an action is performed.

[Buster_BSA]

Released Buster Sandbox Analyzer 1.53.

Changes:

+ Added a new entry section to BSA.DAT: [Process_Code_Injection]
+ Added a new feature to dump executable processes in automatic mode
+ Added a feature that allows the user to select what behaviours must appear in the analysis report
+ Updated “Risk Evaluation Ratings”
+ Included new malware behaviour
+ Updated LOG_API

[Buster_BSA]

Released Buster Sandbox Analyzer 1.54.

Changes:

+ Added a new entry section to BSA.DAT: [File_Strings]
+ Added a feature to search for defined strings inside analyzed file
+ Improved “Dump Executable Processes” feature
+ Included new malware behaviour
+ Updated LOG_API
+ Added portuguese (Brazil) language translation (thanks to Paulo Guzman)

[Buster_BSA]

Released Buster Sandbox Analyzer 1.55.

Changes:

+ Added Adobe Malware Classifier information
+ Included new malware behaviour at “Risk Evaluation Ratings”

[Buster_BSA]

Released Buster Sandbox Analyzer 1.56.

Changes:

+ Added the ability to run multiple analyses at the same time
+ Added new malware behaviours
+ Updated LOG_API
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Added russian language translation (thanks to gjf)

[Buster_BSA]

Released Buster Sandbox Analyzer 1.57.

Changes:

+ Added a feature to extract used APIs from dumped files
+ Added a feature to extract strings from dumped files
+ Added new malware behaviour
+ Fixed a bug

[Buster_BSA]

Released Buster Sandbox Analyzer 1.58.

Changes:

+ Added new malware behaviours
+ Added a feature to analyze automatically a file from shell menu
+ Added a feature to generate additional information from analyzed executable files
+ Added the option of deleting analyzed file at “Manage Processed file” feature
+ Included new malware behaviour at “Risk Evaluation Ratings”
+ Included Signsrch tool by Luigi Auriemma
+ Updated LOG_API
+ Updated Exeinfo to version 0.0.3.0
+ Fixed several bugs