Buster_BSA wrote:You can get it from: http://hotfile.com/dl/119929569/86e5b8a ... I.RAR.htmlAccording to MD5 it differs from the previous version. Could you please explain what you have imlemented?
A forum for reverse engineering, OS internals and malware analysis
gjf wrote:According to MD5 it differs from the previous version. Could you please explain what you have imlemented?When you compile a source the timestamp fields change, that´s why the MD5 is different.
Buster_BSA wrote:You can get it from: http://hotfile.com/dl/119929569/86e5b8a ... I.RAR.htmlthx, 100% detected
kmd wrote:Could you share the binary to make tests on my end, please?Buster_BSA wrote:You can get it from: http://hotfile.com/dl/119929569/86e5b8a ... I.RAR.htmlthx, 100% detected
Could you share the binary to make tests on my end, please?sent via pm
@Buster
Just in case if u interested. I found several other simple ways to detect ur lib. As in fact there no hiding (real or partial) in this log_api.dll version.
Just in case if u interested. I found several other simple ways to detect ur lib. As in fact there no hiding (real or partial) in this log_api.dll version.
kmd wrote:@BusterSend me a private message with the stuff you found, please.
Just in case if u interested. I found several other simple ways to detect ur lib. As in fact there no hiding (real or partial) in this log_api.dll version.
Send me a private message with the stuff you found, please.thing are obvious:
1. Ldr->HashLinks
2. calls to api through sysenter
3. manual thread stack backtrace
4. looking for your hooks
5. self-debugging
6. looking for specific objects sandboxie creates
Released Buster Sandbox Analyzer version 1.35.
Changes:
+ Added HideDriver again
+ Added LOG_API version for 64 bit systems
+ Fixed several bugs
Changes:
+ Added HideDriver again
+ Added LOG_API version for 64 bit systems
+ Fixed several bugs
I seen a new version of SB was released. If I ever get time I'll do a ring 3 solution for stealth. It'll take some weeks of research and coding.
Double hooking and modifying structs kills all of kmd's methods, some mutation defeats manual 'peek' methods kind of.
I think the real reason no talented people bother with SB tools is because the author hypes it a lot and it's commercial, it doesn't actually protect end-users even without jailbreaking, especially in binding scenarios where there is SB detection.
Double hooking and modifying structs kills all of kmd's methods, some mutation defeats manual 'peek' methods kind of.
I think the real reason no talented people bother with SB tools is because the author hypes it a lot and it's commercial, it doesn't actually protect end-users even without jailbreaking, especially in binding scenarios where there is SB detection.
