[Buster_BSA]

I agree with you - inbound connections from other than 64.12.96.129 appears not always, but on some systems. I don't know why. And agree with you that winpcap (that is just Windows implementation of libpcap) cannot find processes.

Anyway - in such conditions when I will try any sandboxed process with unsandboxed network activity I will receive fake alerts. But it's not true, I have tried to reproduce it with sandboxed standard Notepad with a lot of background network activity (torrents, browser etc) - and I did not receive any alerts with exception of UDP packets, but it is pretty normal and documented in manuals. I don't know how the author made such feature but anyway - it works even using winpcap.

BSA filters TCP packets and only processes those ones that belong to sandboxed processes. WinPCap doesn´t do that, of course. I had to code a routine to separate packets and then find out what application generated them.

[Buster_BSA]

So all the rants came from the negative reputation I gave you. Fair enough.

[Mr.Bojangles]

What does your tool do to hide sandboxie? from what I see it just uses codeproject HideDriver to hide sandboxie processes, and x64 users are screwed. There are still plenty of other methods through threading, mapping structs, and IOCTL for detecting.

Also how is sandboxie considered effective when no-talent .net and vb programmers are all detecting it and using logic bombs to get out(and have effectively been for years(the author has done literally nothing to prevent even the simple methods also))?

[gjf]

Mr.Bojanglesб as for me I use sbiextra in cooperation with BSA just to improve hiding.

But you are right - the hiding is pretty poor. For instance from the latest samples - here it is (password is virus). It is Xorist malware, it encrypts user's files and asks a donation for decryptor. It has quite strong VBKrypt packer which detects VMs/Sandboxes. That's why the sandboxed behaviour differs from original one. I could not find the way to fool this VBKrypt protection using BSA.

So it would be quite promising if author paid attention on hiding.

[Mr.Bojangles]

Mr.Bojanglesб as for me I use sbiextra in cooperation with BSA just to improve hiding.

But you are right - the hiding is pretty poor. For instance from the latest samples - here it is (attached). It is Xorist malware, it encrypts user's files and asks a donation for decryptor. It has quite strong VBKrypt packer which detects VMs/Sandboxes. That's why the sandboxed behaviour differs from original one. I could not find the way to fool this VBKrypt protection using BSA.

So it would be quite promising if author paid attention on hiding.

You can do better than HideDriver just through threading and hooking(or detours) from ring3..the rest of BSA is just API logging and a winpcap interface..

[Buster_BSA]

What does your tool do to hide sandboxie? from what I see it just uses codeproject HideDriver to hide sandboxie processes, and x64 users are screwed. There are still plenty of other methods through threading, mapping structs, and IOCTL for detecting.

Also how is sandboxie considered effective when no-talent .net and vb programmers are all detecting it and using logic bombs to get out(and have effectively been for years(the author has done literally nothing to prevent even the simple methods also))?

HideDriver is not the only way used to hide Sandboxie from sandboxed applications, LOG_API.DLL also does some work, but you are right, x64 users are in disadvantage in that aspect because HideDriver doesn´t work there.

I realize there may exist many methods for detecting, but I never pretended to make an infallible method because I don´t think it exists, at least when the malware analyzer is public.

Environment detection is a common problem for all the public analyzers and as far as I know, nobody was able to make a transparent analyzer.

I can understand why tzuk never did anything to prevent detection. He even commented why several times. Basically he told it´s not possible to hide completely the tool, so it´s pointless to even try it.

[Buster_BSA]

Mr.Bojanglesб as for me I use sbiextra in cooperation with BSA just to improve hiding.

But you are right - the hiding is pretty poor. For instance from the latest samples - here it is (attached). It is Xorist malware, it encrypts user's files and asks a donation for decryptor. It has quite strong VBKrypt packer which detects VMs/Sandboxes. That's why the sandboxed behaviour differs from original one. I could not find the way to fool this VBKrypt protection using BSA.

So it would be quite promising if author paid attention on hiding.

The attached file is missing. Could you give a link, please?

[gjf]

Yup, it was caused by 5 Mb restriction on the forum. I have editted my previous message with a link.

[Mr.Bojangles]

HideDriver is not the only way used to hide Sandboxie from sandboxed applications, LOG_API.DLL also does some work, but you are right, x64 users are in disadvantage in that aspect because HideDriver doesn´t work there.

I realize there may exist many methods for detecting, but I never pretended to make an infallible method because I don´t think it exists, at least when the malware analyzer is public.

Environment detection is a common problem for all the public analyzers and as far as I know, nobody was able to make a transparent analyzer.

I can understand why tzuk never did anything to prevent detection. He even commented why several times. Basically he told it´s not possible to hide completely the tool, so it´s pointless to even try it.

Given that nobody allows driver loading inside sandboxie you're only left with some structs and threading syscalls. Also some struct returns by system status calls.

CreateToolhelp32Snapshot
Module32First
Module32Next
LoadLibrary
SWbemServices
GetModuleHandle

log_api should at least handle those..lots more around virtual memory and threading. PE structs seem ok.

[Buster_BSA]

CreateToolhelp32Snapshot
Module32First
Module32Next
LoadLibrary
SWbemServices
GetModuleHandle

log_api should at least handle those..lots more around virtual memory and threading. PE structs seem ok.

log_api handle those ones already (except SWbemServices) and some others related to the things you mention.

If you want, you can download last BSA package from here and review it. Then you can suggest improvments about things it misses.