[gjf]

1. Looks like "DefaultBox" problem during delete can be solved pretty simple: there should be allways one sandbox named "DefaultBox" :)
2. Does your injected dll works OK with other dll? I am using the following:

Code: Select all

InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\LOG_API.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\sbiextra.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\antidel.dll
OpenWinClass=TFormBSA

and it looks like sbiextra.dll does not work pretty stable. I am looking for solution at offorum, but concerning LOG_API.dll I believe the best way is to ask you here.

[Buster_BSA]

1. Looks like "DefaultBox" problem during delete can be solved pretty simple: there should be allways one sandbox named "DefaultBox" :)

Yes, that´s what I have readed in Sandboxie´s forum.

2. Does your injected dll works OK with other dll? I am using the following:

Code: Select all

InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\LOG_API.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\sbiextra.dll
InjectDll=D:\Program Files\Sandboxie\Buster Sandbox Analyzer\antidel.dll
OpenWinClass=TFormBSA

and it looks like sbiextra.dll does not work pretty stable. I am looking for solution at offorum, but concerning LOG_API.dll I believe the best way is to ask you here.

I only have injected two dlls at the same time (log_api.dll and antidel.dll) and everything was working fine.

Maybe sbiextra.dll and log_api.dll don´t like each other. You must consider that both dlls alter the behaviour of sandboxed processes pretty heavily.

Do you restrict internet connection in BSA sandbox?

[gjf]

I only have injected two dlls at the same time (log_api.dll and antidel.dll) and everything was working fine.

Yup, API logs helped me much. Looks like all three dll are injected but sbiextra.dll does not work. Possibly due to change of injecting mechanism in Sandboxie. I've posted about this to the sbiextra topic.

Do you restrict internet connection in BSA sandbox?

Nope. Do I have to? Some malware have to download the libraries that's why Internet connection is necessary.

[gjf]

BTW is it possible to disable API logging at all? Sometimes it takes a long time to include all operations in log file.
And I really suggest to add option to exclude some elements mentioned in "Exclusion lists" not from analysis only, but from log files as well. API logs are almost unreadable with a lot of useless strings due to Sandboxie activity and other. Sure these strings can be of interest too - that's why I am asking about option.

[Buster_BSA]

Do you restrict internet connection in BSA sandbox?

Nope. Do I have to? Some malware have to download the libraries that's why Internet connection is necessary.

If you restrict internet connection then sbiextra.dll is not necessary.

Don´t forget that malwares not only can download from internet but they can also upload information. ;)

[gjf]

If you restrict internet connection then sbiextra.dll is not necessary.
Don´t forget that malwares not only can download from internet but they can also upload information. ;)

Not exactly. I am not affraid about upload - I never store crytical passwords in my system. So it's OK. But sometimes the process can find out that I am using, for instance, some specific utilities / antiviruses outside the sandbox and modify it's own behaviour according to this information. That's why sbiextra.dll is needed for clean experiment.

What do you think about my previous post?

[Buster_BSA]

Not exactly. I am not affraid about upload - I never store crytical passwords in my system. So it's OK. But sometimes the process can find out that I am using, for instance, some specific utilities / antiviruses outside the sandbox and modify it's own behaviour according to this information. That's why sbiextra.dll is needed for clean experiment.

Ah, ok. Then the use of sbiextra.dll is necessary.

What do you think about my previous post?

What post are you talking about?

[gjf]

by gjf » Fri May 14, 2010 3:13 pm

:)

I believe with such conversation we should find some other way to contact one each other. If you would like I can send you my ICQ or something like that in PM.

[Buster_BSA]

Next BSA release will be able to do automatic analysis.

[gjf]

Cute! Thanks for your support.
By the way can you include sbiextra functionality in your injected log_api.dll? Looks like no one will continue to support sbiextra, but simetimes investigating new malware requires full isolation from the host. We have discussed it a few posts earlier.

The next moment is port and connection logging. According to my logs there are all connections including the ones belong to host, not sandbox. It is quite hard to stop network activity on host system just to analyze network activity of sandboxed applications. Is it possible to filter it in some way? Or the only solution is to shutdown all applications at host and carefully adjust port exclusion list?