Buster_BSA wrote:sounds good, from a pre-infection stand point ring3 protection is more than sufficient, especially with driver loading and ACL already taken care of by SB.Mr.Bojangles wrote:What does your tool do to hide sandboxie? from what I see it just uses codeproject HideDriver to hide sandboxie processes, and x64 users are screwed.Good news. I was doing some research and I think I was able to find a way to hide Sandboxie on x64 (32 bit stuff, of course).
On next BSA release HideDriver will not be included anymore. All the hiding will be done from LOG_API.
A forum for reverse engineering, OS internals and malware analysis
Released Buster Sandbox Analyzer 1.34.
Changes:
+ Added a feature to copy/move processed files in automatic mode
+ Added a feature to export RegHive to .REG format
+ Updated LOG_API
+ Removed HideDriver
+ Fixed a bug
Changes:
+ Added a feature to copy/move processed files in automatic mode
+ Added a feature to export RegHive to .REG format
+ Updated LOG_API
+ Removed HideDriver
+ Fixed a bug
Mr.Bojangles wrote:sounds good, from a pre-infection stand point ring3 protection is more than sufficient, especially with driver loading and ACL already taken care of by SB.Download version 1.34, try it and let me know what you think about Sandboxie´s hiding under x64 with the new LOG_API, please.
it hides good, I can see your dll though, even though it's renamed here. I couldn't get the address for InjectDllMain, but I only tried one method. I might update this detector soon, using more structs and some threading stuff. I also didn't implement file system stuff.
Attachments
(4.13 KiB) Downloaded 28 times
Mr.Bojangles wrote:it hides good, I can see your dll though, even though it's renamed here.As you can rename LOG_API.DLL to any name, it´s useless try to use GetModuleHandle or any other method to look for a static string.
Mr.Bojangles wrote:I couldn't get the address for InjectDllMain, but I only tried one method. I might update this detector soon, using more structs and some threading stuff. I also didn't implement file system stuff.Maybe in the future I will implement stuff to hide Sandboxie´s files.
currently your dll can be detected by UPX code and your own code, or by fast hashing by base address. Without a driver this will be hard to hide.
Mr.Bojangles wrote:currently your dll can be detected by UPX code and your own code, or by fast hashing by base address. Without a driver this will be hard to hide.What´s up if you compress LOG_API.DLL with Asprotect, Themida, Petite, Armadillo or a combination of some of them? Would you be able to detect the code then?
No, themida is the only one worth mentioning, and it's just a bunch of encrypted VM handlers. A malware author would just do some binary analyses from base addresses and detect your dll. Hooking or double-hooking struct calls and pointing to other modules is the only way to hide it in ring3 I think.
You don't really need UPX, it's just a packer you can unpack with a single breakpoint and a IAT fixer. Some VM protector wouldn't make much of a difference either.
You don't really need UPX, it's just a packer you can unpack with a single breakpoint and a IAT fixer. Some VM protector wouldn't make much of a difference either.
Mr.Bojangles wrote:No, themida is the only one worth mentioning, and it's just a bunch of encrypted VM handlers. A malware author would just do some binary analyses from base addresses and detect your dll. Hooking or double-hooking struct calls and pointing to other modules is the only way to hide it in ring3 I think.I made a modification. Try this new version of LOG_API.DLL and let me know what you think:
http://hotfile.com/dl/119691661/3865921 ... I.RAR.html
Note: Injected filename must be "LOG_API.DLL".
it seems to hide good, I'll try some other methods one day when I have time. This would be good in a new release.