Buster Sandbox Analyzer

Discussion in 'sandboxing & virtualization' started by Buster_BSA, May 4, 2020.

  1. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    It has been a while since last time I worked in Buster Sandbox Analyzer (BSA).

    I stopped development mainly for two reasons: One was BSA was already including every feature I could think of and nobody was requesting new features. The other one was Sandboxie had problems when LOG_API was being injected.

    I didn't remember exactly what problems were that but I've been digging in the old Sandboxie forum and found this:

    https://www.sandboxie.com/old-forums/viewtopic1185.html?f=22&t=6557&start=915

    "I have news about LOG_API64 problems.

    After talking with the guy coding the dll and doing some tests we found Sandboxie version 4 (even version 4.10 RC) still has bugs in the dll injection mechanism. Injection mechanism works fine until version 3.76, but since version 4, even after the bug fixes done by Invincea team, is buggy.

    When LOG_API64 hooks NTDLL/Kernel32 dlls in version 4 the problems appears. These problems are not present in Sandboxie 3.76."

    https://www.sandboxie.com/old-forums/viewtopica5db.html?f=22&t=6557&start=930

    "The problem in notepad SaveAs appears to be a bug in duser.dll. It is complaining of reentrancy. It is very low priority because all it does is cause an error msg to be displayed by Sbie. Notepad keeps running. And how many people are going to be testing notepad under BSA anyway?"

    After a while, without any replies, I didn't follow up those issues and actually I don't know if they ever were fixed or not.

    Is anonye still using BSA with Sandboxie 5.x line?

    Any problems so far?
     
  2. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    i used only when 3.76 later was abadoned and never tried use it cause not worked with other new versions

    i didint test it with yet 5.40.1 .. new open source version.
     
  3. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    Test it with new open source version and let me know your findings, please.

    Don't forget to include the information related to your OS: Windows version
     
  4. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    Testing machine
    Windows 10 1909 64-Bit build 18363.815
    Virgin system no other security software FW HIPS etc...

    Basicaly i did simple poor test "opened notepad and write documand and save it"
    for check out just BSA will start lanuch with out issue
    and make audit behaviors notepad which happend behind scene

    looks like all work normaly :)

    Screens of log
    https://imgur.com/a/cwnpfXO
     
    Last edited: May 4, 2020
  5. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    Thanks for the test!

    Did LOG_API work fine? Did you see APIs being displayed correctly?
     
  6. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    669
    Location:
    Viena
    I tried it with the open source version on win 1903 x64
    and when trying DOSBox installer it crashes when analysis is active, without it it starts normally.

    @Quassar
    can you test DOSBox0.74-3-win32-installer.exe or some other installers?

    With notepad exe I got an SBIE error message but other than that it seamed to work.
     
  7. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    Last edited: May 4, 2020
  8. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    669
    Location:
    Viena
    I used the same version.
     
  9. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    Did you configure sandbox and added LOG_API32 and LOG_API64 to configuration?

    I mean this:

    Edit Sandboxie´s configuration (open Sandboxie Control -> Configure -> Edit Configuration) and add next four lines to every sandbox you will be using with Buster Sandbox Analyzer:

    InjectDll=C:\BSA\LOG_API\LOG_API32.DLL
    InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL
    OpenWinClass=TFormBSA
    NotifyDirectDiskAccess=y

    It should look like:

    [DefaultBox]
    ConfigLevel=6
    Template=LingerPrograms
    Template=Firefox_Phishing_DirectAccess
    Template=AutoRecoverIgnore
    Enabled=y
    InjectDll=C:\BSA\LOG_API\LOG_API32.DLL
    InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL
    OpenWinClass=TFormBSA
    NotifyDirectDiskAccess=y
    ...
    [UserSettings_00000000]


    Note: "C:\BSA" is just an example. It should point to the folder where BSA is located.

    I already sent LOG_API source code to David. He will have to take a look at it to know what's going wrong.
     
    Last edited: May 4, 2020
  10. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    yea but looks like i miss "InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL" :D

    i have yet process limit set...

    I will add 64 bit api line and check out it.
    and later i will check again with out process limit rule
    https://imgur.com/a/hEzdwzj


    -bump-
    Still crash in both scenario
    https://pastebin.com/TnddGB53
     
    Last edited: May 4, 2020
  11. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    Process limit rules were included by Ronen to help BSA with malwares that bomb system launching lots of processes. That setting should not make any difference.
     
  12. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    Yea that how thinked comon installer use 1-4 process for start installer, repack in to system files/libs, and run software..
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    The problem may be a bug in the injection mechanism that the guy coding LOG_API found long time ago. Curt never replied if he fixed that bug and others that were reported to him.
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    I'm not sure if I was clear enough so I'll explain it again. LOG_API was working fine with Sandboxie 3.x line. Then Ronen changed internal architecture and also injection mechanism.

    Several years ago the guy coding LOG_API (a very skilled coder and expert in Windows internals) checked why LOG_API was crashing under Sandboxie 4.x. He found Sandboxie's injection mechanism was buggy.

    So I'm pretty sure if a program crashes when LOG_API is injected but works fine when is not loaded, it's due the problems found years ago in the injection mechanism.

    If that guess is right, then in order to get BSA working again with Sandboxie, these problems should be fixed.
     
  15. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    Yea i got it
    i also long time ago noticed it and sended ticet suport to sandboxie staff but they discard mine suport ticet casue BSA wasn't thier business :/
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    In fact BSA was competence of their FreeSpace product.
     
  17. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    Any progress in compatibility ?!
     
  18. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    669
    Location:
    Viena
    Sorry i was distracted looking into the MSI installer bug, my be I should pot that aside and look on some smaller targets.
     
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    I'm afraid the problem in the injection mechanism is not a smaller target either. I hope I'm wrong.
     
  20. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    Did you take a look at injection mechanism?
     
  21. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    669
    Location:
    Viena
    Yes I played around with it a bit, strange thing, when running automated analysis the API log works, when running manual it stays empty.
    Not sure why is that.
    An other thing I noticed is that when user32 "SetTimer" is hooked a lot applications crash on startup even notepad
     
    Last edited: May 28, 2020
  22. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    With Sandboxie 3.x line that problem was not present.

    What happens if SetTimer is not hooked? Applications don't crash anymore?
     
  23. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    669
    Location:
    Viena
    I know i tested on w7 with 3.70 and it was fine.

    actually the issue is the PushToLogA call in the settimer hook, when its commented out i could start variouse apps with out a crash.
    The strange thing is that the crash occurs in a later DefWindowProcW call.
    I think for whatever reason calling SendMessageA at that particular moment breaks something down the line.

    No idea what though as the subsequent crash is in a part of windows libs.

    IMHO a workaround would be to use pipes to communicate instead of windows messages.
     
  24. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    Ok, let's try that. We continue by mail.
     
  25. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    659
    David did an incredible work and we have got already a BSA 1.89 Beta 2 version we are testing. We replaced the old communication method used between LOG_API and BSA to exchange information and now less apps are crashing when being analyzed.

    I tried to keep things simple so BSA 1.89 will look the same.

    As soon as tests are finished I will release BSA 1.89 binary
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.