A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1090  by gjf
 Fri May 14, 2010 7:56 am
1. Looks like "DefaultBox" problem during delete can be solved pretty simple: there should be allways one sandbox named "DefaultBox" :)
2. Does your injected dll works OK with other dll? I am using the following:
Code: Select all
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\LOG_API.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\sbiextra.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\antidel.dll
OpenWinClass=TFormBSA
and it looks like sbiextra.dll does not work pretty stable. I am looking for solution at offorum, but concerning LOG_API.dll I believe the best way is to ask you here.
 #1093  by Buster_BSA
 Fri May 14, 2010 11:09 am
gjf wrote:1. Looks like "DefaultBox" problem during delete can be solved pretty simple: there should be allways one sandbox named "DefaultBox" :)
Yes, that´s what I have readed in Sandboxie´s forum.
gjf wrote:2. Does your injected dll works OK with other dll? I am using the following:
Code: Select all
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\LOG_API.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\sbiextra.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\antidel.dll
OpenWinClass=TFormBSA
and it looks like sbiextra.dll does not work pretty stable. I am looking for solution at offorum, but concerning LOG_API.dll I believe the best way is to ask you here.
I only have injected two dlls at the same time (log_api.dll and antidel.dll) and everything was working fine.

Maybe sbiextra.dll and log_api.dll don´t like each other. You must consider that both dlls alter the behaviour of sandboxed processes pretty heavily.

Do you restrict internet connection in BSA sandbox?
 #1094  by gjf
 Fri May 14, 2010 11:19 am
Buster_BSA wrote: I only have injected two dlls at the same time (log_api.dll and antidel.dll) and everything was working fine.
Yup, API logs helped me much. Looks like all three dll are injected but sbiextra.dll does not work. Possibly due to change of injecting mechanism in Sandboxie. I've posted about this to the sbiextra topic.
Buster_BSA wrote:Do you restrict internet connection in BSA sandbox?
Nope. Do I have to? Some malware have to download the libraries that's why Internet connection is necessary.
 #1096  by gjf
 Fri May 14, 2010 1:13 pm
BTW is it possible to disable API logging at all? Sometimes it takes a long time to include all operations in log file.
And I really suggest to add option to exclude some elements mentioned in "Exclusion lists" not from analysis only, but from log files as well. API logs are almost unreadable with a lot of useless strings due to Sandboxie activity and other. Sure these strings can be of interest too - that's why I am asking about option.
 #1097  by Buster_BSA
 Fri May 14, 2010 1:14 pm
gjf wrote:
Buster_BSA wrote:Do you restrict internet connection in BSA sandbox?
Nope. Do I have to? Some malware have to download the libraries that's why Internet connection is necessary.
If you restrict internet connection then sbiextra.dll is not necessary.

Don´t forget that malwares not only can download from internet but they can also upload information. ;)
 #1100  by gjf
 Fri May 14, 2010 1:26 pm
Buster_BSA wrote: If you restrict internet connection then sbiextra.dll is not necessary.
Don´t forget that malwares not only can download from internet but they can also upload information. ;)
Not exactly. I am not affraid about upload - I never store crytical passwords in my system. So it's OK. But sometimes the process can find out that I am using, for instance, some specific utilities / antiviruses outside the sandbox and modify it's own behaviour according to this information. That's why sbiextra.dll is needed for clean experiment.

What do you think about my previous post?
 #1101  by Buster_BSA
 Fri May 14, 2010 1:29 pm
gjf wrote:Not exactly. I am not affraid about upload - I never store crytical passwords in my system. So it's OK. But sometimes the process can find out that I am using, for instance, some specific utilities / antiviruses outside the sandbox and modify it's own behaviour according to this information. That's why sbiextra.dll is needed for clean experiment.
Ah, ok. Then the use of sbiextra.dll is necessary.
gjf wrote:What do you think about my previous post?
What post are you talking about?
 #1102  by gjf
 Fri May 14, 2010 1:32 pm
by gjf » Fri May 14, 2010 3:13 pm
:)

I believe with such conversation we should find some other way to contact one each other. If you would like I can send you my ICQ or something like that in PM.
 #1120  by gjf
 Tue May 18, 2010 9:12 pm
Cute! Thanks for your support.
By the way can you include sbiextra functionality in your injected log_api.dll? Looks like no one will continue to support sbiextra, but simetimes investigating new malware requires full isolation from the host. We have discussed it a few posts earlier.

The next moment is port and connection logging. According to my logs there are all connections including the ones belong to host, not sandbox. It is quite hard to stop network activity on host system just to analyze network activity of sandboxed applications. Is it possible to filter it in some way? Or the only solution is to shutdown all applications at host and carefully adjust port exclusion list?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 32