It has been a while since last time I worked in Buster Sandbox Analyzer (BSA). I stopped development mainly for two reasons: One was BSA was already including every feature I could think of and nobody was requesting new features. The other one was Sandboxie had problems when LOG_API was being injected. I didn't remember exactly what problems were that but I've been digging in the old Sandboxie forum and found this: https://www.sandboxie.com/old-forums/viewtopic1185.html?f=22&t=6557&start=915 "I have news about LOG_API64 problems. After talking with the guy coding the dll and doing some tests we found Sandboxie version 4 (even version 4.10 RC) still has bugs in the dll injection mechanism. Injection mechanism works fine until version 3.76, but since version 4, even after the bug fixes done by Invincea team, is buggy. When LOG_API64 hooks NTDLL/Kernel32 dlls in version 4 the problems appears. These problems are not present in Sandboxie 3.76." https://www.sandboxie.com/old-forums/viewtopica5db.html?f=22&t=6557&start=930 "The problem in notepad SaveAs appears to be a bug in duser.dll. It is complaining of reentrancy. It is very low priority because all it does is cause an error msg to be displayed by Sbie. Notepad keeps running. And how many people are going to be testing notepad under BSA anyway?" After a while, without any replies, I didn't follow up those issues and actually I don't know if they ever were fixed or not. Is anonye still using BSA with Sandboxie 5.x line? Any problems so far?
i used only when 3.76 later was abadoned and never tried use it cause not worked with other new versions i didint test it with yet 5.40.1 .. new open source version.
Test it with new open source version and let me know your findings, please. Don't forget to include the information related to your OS: Windows version
Testing machine Windows 10 1909 64-Bit build 18363.815 Virgin system no other security software FW HIPS etc... Basicaly i did simple poor test "opened notepad and write documand and save it" for check out just BSA will start lanuch with out issue and make audit behaviors notepad which happend behind scene looks like all work normaly Screens of log https://imgur.com/a/cwnpfXO
I tried it with the open source version on win 1903 x64 and when trying DOSBox installer it crashes when analysis is active, without it it starts normally. @Quassar can you test DOSBox0.74-3-win32-installer.exe or some other installers? With notepad exe I got an SBIE error message but other than that it seamed to work.
@DavidXanatos btw which version you used i use 5.40.1 sure i will make audit by BSA for some install soft @Buster_BSA Api_log in option have blank same as connection https://imgur.com/a/6ftGElS Update check work, no new version xD -bump- I tried install software dosbox and later xnview both crashed by error later i tested install xnview with out bsa in another countainer and worked looks like BSA have issue. API call log https://pastebin.com/PM5pb2jk https://imgur.com/a/6vYNqFZ
Did you configure sandbox and added LOG_API32 and LOG_API64 to configuration? I mean this: Edit Sandboxie´s configuration (open Sandboxie Control -> Configure -> Edit Configuration) and add next four lines to every sandbox you will be using with Buster Sandbox Analyzer: InjectDll=C:\BSA\LOG_API\LOG_API32.DLL InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y It should look like: [DefaultBox] ConfigLevel=6 Template=LingerPrograms Template=Firefox_Phishing_DirectAccess Template=AutoRecoverIgnore Enabled=y InjectDll=C:\BSA\LOG_API\LOG_API32.DLL InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL OpenWinClass=TFormBSA NotifyDirectDiskAccess=y ... [UserSettings_00000000] Note: "C:\BSA" is just an example. It should point to the folder where BSA is located. I already sent LOG_API source code to David. He will have to take a look at it to know what's going wrong.
yea but looks like i miss "InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL" i have yet process limit set... I will add 64 bit api line and check out it. and later i will check again with out process limit rule https://imgur.com/a/hEzdwzj -bump- Still crash in both scenario https://pastebin.com/TnddGB53
Process limit rules were included by Ronen to help BSA with malwares that bomb system launching lots of processes. That setting should not make any difference.
Yea that how thinked comon installer use 1-4 process for start installer, repack in to system files/libs, and run software..
The problem may be a bug in the injection mechanism that the guy coding LOG_API found long time ago. Curt never replied if he fixed that bug and others that were reported to him.
I'm not sure if I was clear enough so I'll explain it again. LOG_API was working fine with Sandboxie 3.x line. Then Ronen changed internal architecture and also injection mechanism. Several years ago the guy coding LOG_API (a very skilled coder and expert in Windows internals) checked why LOG_API was crashing under Sandboxie 4.x. He found Sandboxie's injection mechanism was buggy. So I'm pretty sure if a program crashes when LOG_API is injected but works fine when is not loaded, it's due the problems found years ago in the injection mechanism. If that guess is right, then in order to get BSA working again with Sandboxie, these problems should be fixed.
Yea i got it i also long time ago noticed it and sended ticet suport to sandboxie staff but they discard mine suport ticet casue BSA wasn't thier business :/
Sorry i was distracted looking into the MSI installer bug, my be I should pot that aside and look on some smaller targets.
Yes I played around with it a bit, strange thing, when running automated analysis the API log works, when running manual it stays empty. Not sure why is that. An other thing I noticed is that when user32 "SetTimer" is hooked a lot applications crash on startup even notepad
With Sandboxie 3.x line that problem was not present. What happens if SetTimer is not hooked? Applications don't crash anymore?
I know i tested on w7 with 3.70 and it was fine. actually the issue is the PushToLogA call in the settimer hook, when its commented out i could start variouse apps with out a crash. The strange thing is that the crash occurs in a later DefWindowProcW call. I think for whatever reason calling SendMessageA at that particular moment breaks something down the line. No idea what though as the subsequent crash is in a part of windows libs. IMHO a workaround would be to use pipes to communicate instead of windows messages.
David did an incredible work and we have got already a BSA 1.89 Beta 2 version we are testing. We replaced the old communication method used between LOG_API and BSA to exchange information and now less apps are crashing when being analyzed. I tried to keep things simple so BSA 1.89 will look the same. As soon as tests are finished I will release BSA 1.89 binary