A forum for reverse engineering, OS internals and malware analysis 

Open Source Mandingo's Sandbox

Forum for announcements and questions about tools and software.

Open Source Mandingo's Sandbox

 #25263  by mndg
 Mon Feb 16, 2015 5:33 pm
Hello

I'd like to present you one open source sandbox solution I've been working since a few months with the purpose of analyze windows malware samples.

The setup is not very complex... you will need to prepare the environment (host and guest), use some windows os with virtual box, install and configure the applications, and do some basic checks....

This two days I've been working in the documentation (wiki). There you can find the instructions required to install this project in your system (mine is macosx)
https://code.google.com/p/mandingo/wiki/MandingoSandbox

The solution also comes with a web frontend for ease to use.

Any feedback will be appreciated :)

BTW, You can follow the messages related with this project in tweeter using the hashtag #mandingoSandbox
c'u

Re: Open Source Mandingo's Sandbox

 #25264  by EP_X0FF
 Mon Feb 16, 2015 6:23 pm
Just out of curiosity, why do you hook same api twice and convert unicode to ansi everywhere?

Re: Open Source Mandingo's Sandbox

 #25265  by mndg
 Mon Feb 16, 2015 6:54 pm
Hello

twice? where? :)

I converted unicode strings where I needed.. do you think should be recoded in a better way?

Re: Open Source Mandingo's Sandbox

 #25266  by mndg
 Mon Feb 16, 2015 7:15 pm
Because I need to getprocaddress both the unicode and the ascii functions I want to hook, do you know any alternative method?

Re: Open Source Mandingo's Sandbox

 #25268  by EP_X0FF
 Tue Feb 17, 2015 4:53 am
If you hook unicode version of API this in most cases automatically cover ansi version, because most if ansi functions are just stubs with call for unicode variant. No need to hook same API twice.

Re: Open Source Mandingo's Sandbox

 #25269  by Buster_BSA
 Tue Feb 17, 2015 11:37 am
Thanks for sharing the project publicly!

A few questions...

Is possible to inject our own DLL?

VMWare Tools installation is required?

In the wiki you wrote:
You need to configure an static IP for the operating system, so we can communicate the host (macosx/linux)
Why "(macosx/linux)" and not "(windows/macosx/linux)"?

Is not possible to use Windows as host?

Re: Open Source Mandingo's Sandbox

 #25315  by mndg
 Mon Feb 23, 2015 7:51 pm
Hello

Yes, with the "sinjector.exe" client you can inject any DLL to a new spawned process, or running by its PID.

Of course, you can use Linux or Windows for the host, but the instructions are not ready yet. If you understand how it works, I think you shouldn't have too many problems to set up the laboratory properly :)

VMware tools isn't required

Re: Open Source Mandingo's Sandbox

 #25321  by Buster_BSA
 Tue Feb 24, 2015 8:00 am
mndg wrote:Hello

Yes, with the "sinjector.exe" client you can inject any DLL to a new spawned process, or running by its PID.

Of course, you can use Linux or Windows for the host, but the instructions are not ready yet. If you understand how it works, I think you shouldn't have too many problems to set up the laboratory properly :)

VMware tools isn't required
Thanks for replying questions.

It would be nice if you can write a guide to setup the sandbox on Windows.

Does "sinjector.exe" client inject the DLL to new processes too? Let´s say a malware injects code to explorer.exe. Is our DLL injected to explorer.exe also?

Please check your private messages.
 Return to “Tools/Software”