A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #859  by Buster_BSA
 Fri Apr 23, 2010 5:07 pm
Hi.

I would like to open a topic in this forum for Buster Sandbox Analyzer, my malware analysis tool.

For people that still don´t know what´s BSA, please take a look here: http://bsa.isoftware.nl/

The tool can be downloaded directly from: http://bsa.isoftware.nl/bsa.rar

Why another BSA topic? Well, I think in this forum I may find people that can help me to improve the tool.

Improve how? Well, I hope with ideas for new features and suggestions to improve the existing ones. Also testing the tool and finding bugs.

I just released BSA version 1.19 (web site is pendant of update) which improves the packet sniffer very much. The new version is able to capture the TCP trafific coming only from sandboxed applications. Also it will show what program generated the captured packet. Additionally it will be able to save to a .pcap file the captured traffic.

For forensic network analysis I added Pcap Explorer. It´s a feature that can open .pcap files and extract files from HTTP traffic and email attachments. It can follow a TCP session. It can save a new packet filtering by user rules.

A few weeks ago I contacted some malware researchers asking for suggestions of how to improve my tool. One of them, Lenny Zeltser (http://zeltser.com) criticed that some malwares, specially rootkits, may not run under Sandboxie or if they do, not all the actions will be logged due Sandboxie restrictions.

I think he did a very good critic so I´m actually working to improve my tool in that sense. My goal is to get BSA analyzing malwares that run out of the sandbox, in a real or a virtual system. Of course, it´s always a better idea to run malwares on a real system because many of them are aware of the presence of VMs.

In order to record malware actions Capture-BAT will be used: https://www.honeynet.org/node/315
Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
Capture BAT logs file and registry changes to a file. Also logs process creation. It can even capture internet traffic.

The idea is that Capture BAT logs malware actions and BSA analyzes them.

So in next release (1.20) BSA will be able to analyze malwares that don´t run under Sandboxie´s supervision.

After version 1.20 is out I will be out of idea so I will need of your help to continue developing it.

I hope you can help to improve BSA.

Regards.
Last edited by EP_X0FF on Mon Dec 13, 2010 2:26 pm, edited 1 time in total. Reason: Readded links to site and download
 #1008  by Buster_BSA
 Thu May 06, 2010 5:49 pm
gjf wrote:Unfortunately a lot of malware operates installing their driver. That is the limitation of such sandboxes. But anyway - thank's, I will try it.
The objective of Buster Sandbox Analyzer is to tell if the analyzed application has a malicious behaviour.

Even if the malware can not run fully because Sandboxie will not allow it, the driver will be dropped to Windows folder (most probably) so this action will be noticed and reported as malicious.

Additionally the new version supports Capture-BAT log files.
Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations.
https://www.honeynet.org/node/315

So you can run the malware under the supervision of Capture-BAT and pass the log created to BSA. BSA will create the report and the analysis from the log.

I hope that´s good enough. If not I´m always open to suggestions about how to improve BSA. ;)
 #1067  by gjf
 Wed May 12, 2010 11:42 pm
OK, it's pretty cool. But one suggestion. You give no ability to use some favorite addons such as HEX editors etc. For instance, BSA has own PE Explorer, and I like another one, own HEX Editor, and I like HIEW etc. It would be good to have ability to configure external instruments for such application as well.
Last edited by gjf on Thu May 13, 2010 7:07 am, edited 1 time in total.
 #1068  by gjf
 Thu May 13, 2010 12:03 am
And one question: is it possible to use relative path tom injected dll in Sandboxie config in the case of portable installation? I mean:
Code: Select all
InjectDll=App\Buster Sandbox Analyzerlogi.dll
OpenWinClass=TFormBSA
It would be useful for USB flash installation due to different drive letter in different systems.
 #1074  by Buster_BSA
 Thu May 13, 2010 6:25 am
gjf wrote:OK, it's pretty cool. But one suggestion. You give no ability to use some favorite addons such as HEX editors etc. For instance, BSA has own PE Explorer, and I like another one, own HEX Editor, and I like HIEW etc. It would be goof to have ability to configure external instruments for such application as well.
I will consider adding such feature. Thanks for the suggestion!
 #1075  by Buster_BSA
 Thu May 13, 2010 6:28 am
gjf wrote:And one question: is it possible to use relative path tom injected dll in Sandboxie config in the case of portable installation? I mean:
Code: Select all
InjectDll=App\Buster Sandbox Analyzerlogi.dll
OpenWinClass=TFormBSA
It would be useful for USB flash installation due to different drive letter in different systems.
I´m afraid that´s not possible. You can request that feature creating a post here:

http://sandboxie.com/phpbb/viewforum.php?f=4
 #1077  by gjf
 Thu May 13, 2010 9:41 am
OK, I've requested it there. Thanks for support.

Another issue: is this buggy output due to Cyrillic names caused by Sandboxie or it is BSA limitation:
Executing: c:\documents and settings\ам
рар\Ра л\bot.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\ам
рар\Ра л\bot.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\ам
Please note also that viewer menu in BSA calls text editor in sandbox. Why? Logs are safe and sandbox placement leads to some troubles in saving of them.
 #1078  by Buster_BSA
 Thu May 13, 2010 11:50 am
gjf wrote:Another issue: is this buggy output due to Cyrillic names caused by Sandboxie or it is BSA limitation:
Executing: c:\documents and settings\ам
рар\Ра л\bot.exe
LoadLibrary(kernel32.dll) [c:\documents and settings\ам
рар\Ра л\bot.exe]
LoadLibrary(shlwapi.dll) [c:\documents and settings\ам
It´s due Cyrillic names. I don´t think there is nothing to fix there.
gjf wrote:Please note also that viewer menu in BSA calls text editor in sandbox. Why? Logs are safe and sandbox placement leads to some troubles in saving of them.
That should not happen. Maybe you have something misconfigured in Sandboxie.

Tell me the steps to reproduce the problem, please. I will check if it´s a bug or you have something wrongly configured.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 32