Buster Sandbox Analyzer

Discussion in 'sandboxing & virtualization' started by Buster_BSA, May 4, 2020.

  1. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    In fact David's releases are the required ones to get BSA working fine.
     
  2. Stukalide

    Stukalide Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    58
    Cool, thanks. I got the BSA warning message about needing to update my Sandboxie to v5.43, and as I was in the process of doing so, I saw that Sandboxie-Plus was also available. I'd like to try it out but wasn't sure if the Plus version was altered enough to the point that BSA wouldn't work with it. Good to know that's not the case, thanks!
     
  3. stormysky_666

    stormysky_666 Registered Member

    Joined:
    Oct 3, 2020
    Posts:
    5
    Location:
    FR
    Hi, first thanks for the update, I just discovered this pretty useful tool ! Love how readable are the reports :)

    I've encountered few problems though :
    The first time I started the analysis I had this error : "LOG_API's OpenPiePath not found at Sandboxie.ini", and then it seems that it added this line to my Sandboxie.ini :
    OpenPipePath=\Device\NamedPipe\LogAPI

    After that I always get the error : "You are injecting 64 bits version of LOG_API into 32 bits processes". And if I use the 32 bits DLL instead, I've got the exact opposite error message !
    Although it doesn't seem to prevent it from working properly (I didn't go very deep into the analysis though).

    And about David's release, I first tried using his "Sandboxie-Plus" version instead of Sandboxie, I got a bit destabilised by the UI not corresponding to the doc : maybe you should update the doc accordingly if that's the one meant to be used ?
    I also had problems with BSA analysis staying empty, but reinstall fixed it.. It actually looks like it was because of that OpenPipePath missing line (and not automatically added when using Sandboxie-Plus ?!) !

    And what about the Resource Logging and API Call Logging buttons, do they do something ? At first it seemed they added some broken lines (InjectDll with bad path) in ini config, but now it seems they don't do anything at all.

    Also about VT result, I'm not sure I understand, is it supposed to appear in my VT account ? I don't find it, although in the reports I do have a vtresultat.json, but I was expecting something more human friendly than a json ? ;)

    Now that I think about it I'm wondering if Sandboxie-Plus config problems aren't related to some conflicts or something with previous Sandboxie installation.
     
  4. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    All the lines required to get BSA working with Sandboxie must be added manually following manual instructions. Nothing is added automatically even with Sandboxie Plus.

    As BSA was released when Sandboxie Plus didn't exist, I suggest people continue using the classic GUI. This will avoid confussions because Sandboxie Plus Resource Logging and API Call Logging are functions used internally by David's Sandboxie version, not by BSA itself.

    The error "You are injecting 64 bits version" .. is caused due a bad configuration. The lines to be included in Sandboxie.ini are:

    InjectDll=C:\BSA\LOG_API\LOG_API32.DLL
    InjectDll64=C:\BSA\LOG_API\LOG_API64.DLL

    Note: in last release names of DLLs are slightly different.

    Probably you are adding something like:

    InjectDll=C:\BSA\LOG_API\LOG_API64.DLL

    "InjectDll" is for 32 bits DLL and "Inject64" is for 64 bits.

    After registering in VT you will receive an API key. You must copy and paste this API key to a file named "virustotal_apikey.txt". Put that file in the same folder BSA.EXE is.

    You must also add VT reports support enabiling the feature at: Options > Report Options > Information > VirusTotal

    The json is just a temporal file that will be processed by BSA. When the reports are created, the information will be presented in a readable format.

    I hope this info helps you to solve all issues.
     
    Last edited: Oct 3, 2020
  5. stormysky_666

    stormysky_666 Registered Member

    Joined:
    Oct 3, 2020
    Posts:
    5
    Location:
    FR
    Well sorry but that's obviously not totally true, I've never added this OpenPipePath line with this weird value :)
    But I did have to add it again manually after it disappeared for some reason (?!).

    Oh you're right, my bad ! I didn't notice that didn't make sense to add twice the same DLL

    My bad again, I didn't notice it was included in the report as there was no virus detected.
    Although I tried to analyse another process, which probably has some viruses, I get "File not scanned yet" and "The requested resource is not among the finished, queued or pending scans" error message in vt json, any idea ?

    Thank you again for you work and your help, much appreciated !
     
  6. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    I don't know why the line disappered after you added it. Maybe Sandboxie.ini was overwritted or modified after you updated Sandboxie's version.

    I decided to keep the json file in the report folder but it can be deleted because the important information is presented at reports. I thought it may be of interest for some people as it contains additional info that is not included in BSA reports.

    When you receive the "File not scanned yet" means that file was not sent for scanning to VT previously. The file will be added to the queue and will be scanned soon, so next time you ask information about that file to VT, probably it will be processed already and the info will be already available.
     
  7. stormysky_666

    stormysky_666 Registered Member

    Joined:
    Oct 3, 2020
    Posts:
    5
    Location:
    FR
    Thanks !!

    You mean calling back the API about that file, right ? Is there an option to manually send a call it again ? I only found the option "Number of retries for VT" (which is 0 by default)

    EDIT : For other files, it seems to usually work in the expected amount of time though, but there is this one file that always give me this message

    reEDIT : And actually I'm wondering, is there any difference between using VT from BSA, and manually upload a file on VT ?
     
    Last edited: Oct 3, 2020
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    I mean analyzing the file with BSA again. When BSA asks information about the file to VT, the file will be probably analyzed already so you will be able to see if any antivirus report it or not.

    When you manually upload a file to VT, if the file was already scanned it will ask you if you want to see previous analysis or you want to analyze the file again. BSA asks VT for the report of the file. If the file was analyzed previously it will be able to retrieve the information reported by AVs. If the files was not scanned yet, you will receive the message telling "File not scanned yet".
     
  9. stormysky_666

    stormysky_666 Registered Member

    Joined:
    Oct 3, 2020
    Posts:
    5
    Location:
    FR
    Thank you for all those precisions :thumb:
     
  10. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    Sorry, I misunderstood your question and my reply was wrong.

    If you analyze a file that never was sent to VT for analysis, you must send it manually because BSA will not send it for analysis. After you manually upload and VT analyzes it, then the analysis report will be available to be retrieved by BSA.
     
  11. stormysky_666

    stormysky_666 Registered Member

    Joined:
    Oct 3, 2020
    Posts:
    5
    Location:
    FR
    I see, thank you for rectifying ! :)

    I did explore a bit the options, and I was wondering, is the packet "sniffer" supposed to see everything ?
    In my example I have some "Queried DNS" with some domains, but no more information. I tried the option to dump the packets, but that wasn't more helpful.
    Am I doing something wrong or is it the result expected (and I have to use another tool, wireshark for example, to dig into those connexions) ?
     
  12. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    Yes, BSA reports "Queried DNS". First you must install WinPCap (Win10Pcap also works fine with BSA) and then configure the adapter you will use to capture network packets. You do this at:

    Options > Common Analysis Options > Packet Sniffer > Select Adapter
     
    Last edited: Oct 5, 2020
  13. Stukalide

    Stukalide Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    58
    Just a heads up, technically Win10Pcap is also obsolete, given it hasn't been updated in 5+ years. Much better to use Npcap, which is actively maintained (most recent update is just a couple weeks ago, 2020-09-25).

    https://nmap.org/npcap/
    https://github.com/nmap/npcap
    https://nmap.org/npcap/vs-winpcap.html

    That being said, would there be any issue with BSA relying on Npcap?
    So does that mean we should not be using Sandboxie Plus then? How would issues manifest if we do use David's Sandboxie Plus, what errors might you see or differences you might experience?
    David, what Sandboxie version do you use with BSA: classic Sandboxie or Sandboxie Plus?
    Awesome feature! Thanks for this.
    Wow, both of these features are fantastic. I didn't know about perceptual hashes, I wouldn't have imagined something like this would be possible, thinking hashes would be wildly different with even the smallest byte-sized change. And OCR recognition... wow, really excited for that.
    Really looking forward to this. Any estimate on when beta 8 might arrive?
     
  14. DavidXanatos

    DavidXanatos Developer

    Joined:
    Sep 6, 2006
    Posts:
    672
    Location:
    Viena
    Booth release branches have the same core components, just configure the BSA components manually in the ini file instead of using the options in the Plus UI as these would open an own listener pipe for the API log hence BSA wouldn't be able to receive the data.
     
  15. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    On next days I'll try Npcap to check if it's compatible with BSA. I'll let you know results then.

    Sandboxie Plus already logs some APIs. To avoid conflicts (hooking an API twice i.e.) between Sandboxie Plus and BSA is better idea if only one program logs APIs. That's why I suggested using the classic GUI. Maybe it's possible to use BSA and Sandboxie Plus at the same time but I don't know. If anyone make tests it would be nice if he can share results.

    BSA 1.89 Beta 8 is already available.

    Inside "DummyProcesses" folder I've included an example of a dummy process named "svchost.exe". This dummy file can be copied and renamed in order to be used with other processes too.

    This feature is only available in "Automatic Analysis" mode (but it can be easily replicated in "Manual Analysis" mode). You must enable the feature at "Automatic Analysis Options > Launch Dummy Processes".

    Additionally you must edit Sandboxie.ini and, in the sandbox you use to run BSA, you must include a line like this for every process you want to hide:

    HideHostProcess=process_to_hide.exe

    Examples:

    HideHostProcess=svchost.exe
    HideHostProcess=explorer.exe

    After editing Sandboxie configuration must be reloaded ("Reload Configuration"). Now Sandboxie will be hiding to sandboxed processes all the processes we included in the "HideHostProcess" list.

    I think it's pretty clear how the feature works but if anyone need additional information just let me know.
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    I just tried Npcap and it's not compatible with BSA. Even if Npcap uses "packet.dll" and "wpcap.dll" they don't seem to be compatible with the old format.
     
  17. Stukalide

    Stukalide Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    58
    Thanks. Just out of curiosity, which setup do you personally use, classic or Plus?
    Hmm. If you're able, could you try installing it with the "Win API compatibility mode" setting? Were there any remnants of other Npcap/Win10Pcap versions still around? The big reason I'm interested in Npcap is that it's still actively developed, and thus bugs/exploits are patched out of it.
     
  18. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    I tried both options: with and without "Win API compatibility mode". No way.
     
  19. Stukalide

    Stukalide Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    58
    Would it be sufficient to merely put the Win10Pcap's packet.dll + wpcap.dll inside BSA.exe's folder? While monitoring BSA.exe in action, I can see that it loads those both if I do that, I'm just not sure if there might be conflict if there's another *Pcap install at the system level.

    The reason I'm wondering is because Wireshark now uses Npcap v1,00. However, I just now read that Npcap can be set to install in System32\Npcap subfolder by leaving unchecked the "Win API Compatibility mode". So it seems whether or not BSA can operate fine with the appropriate dll's residing in its directory, it appears Win10Pcap and Npcap can coexist peacefully while both installed to system.

    I'm confused about LogApi dll versioning: it says on its Github that the latest dll's are v1.0.5, but each dll's properties says it's v1.0.4.9227 (for reference, BSA's Logapi dll's are v1.0.3.9201). Is this intended?

    What adds to this confusion is in %ProgramFiles%\Sandboxie-Plus\LogAPI\, Logapi32 dll is v1.0.3.9201, and Logapi64 is v.1.0.5.9245. Both dll's are much larger than all the other versions.

    Do you mind clarifying the differences and split versioning? I'm confused which versions would be best to use with BSA, and what the differences are with the ones installed by Sandboxie being much larger than the ones hosted on Github.
     
  20. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
    I don't know if that would be enough. Make tests and share results, please.

    I guess LOG_API dlls being used in BSA hook more API functions than the ones being hooked by Sandboxie Plus.
     
  21. Quassar

    Quassar Registered Member

    Joined:
    Oct 19, 2011
    Posts:
    149
    for me Sandboxie Plus lack even fuction of normal sandboxie.
     
  22. dFosB

    dFosB Registered Member

    Joined:
    Jun 5, 2020
    Posts:
    8
    Location:
    HSH
    Just in case - quick'n'dirty file to convert Sandboxie's RegHive into reg-file and open it with standard Windows editors.
    Default location of RegHive - current folder, but it can be set as parameter in command string also.
    https://anonfiles.com/Zd7206vdpe/analyze_reg_zip
     
    Last edited: Dec 3, 2020 at 9:01 AM
  23. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    661
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.