I am using Sandboxie on Windows 10 operating system.
How do I get Execution Traces from the Host after I run malware, programs, or files in Sandboxie? can I use the API to get it?
How to get malawre trace in sandboxie?
How to get malawre trace in sandboxie?
hello I'm a newbie in malware analysis and trying to get the trace of malware that execution in sandboxie. Is it possible to get it without API? thankyou
- DavidXanatos
- Posts: 340
- Joined: Fri Mar 19, 2021 11:26 am
Re: How to get malawre trace in sandboxie?
Are you the same user?
About the question you can use the resource access monitor to trace what a program is doing, you can enable additional tracing in the advanced box options, and you can add the LogAPI dll to get additional trace output about interesting function calls.
About the question you can use the resource access monitor to trace what a program is doing, you can enable additional tracing in the advanced box options, and you can add the LogAPI dll to get additional trace output about interesting function calls.
-
- Posts: 5
- Joined: Sat Sep 18, 2021 1:28 pm
Re: How to get malawre trace in sandboxie?
Thanks for the reply,
No, we are different users, but we are in one team working on a final project on campus.
Currently, we want to get an execution trace when running the malware. I've tried resource access monitors to keep track of what a program is doing. I'm using Sandboxie classic v5.51.3.
I've read quite a lot about Buster Sandbox Analyzer, so is it true that if I want to add LogAPI dll, I should use BSA https://bsa.isoftware.nl/ ?
No, we are different users, but we are in one team working on a final project on campus.
Currently, we want to get an execution trace when running the malware. I've tried resource access monitors to keep track of what a program is doing. I'm using Sandboxie classic v5.51.3.
I've read quite a lot about Buster Sandbox Analyzer, so is it true that if I want to add LogAPI dll, I should use BSA https://bsa.isoftware.nl/ ?
- DavidXanatos
- Posts: 340
- Joined: Fri Mar 19, 2021 11:26 am
Re: How to get malawre trace in sandboxie?
They use the same DLL but its configured differently the when used with BSA it wil communicate with the BSA tool, if used without with Sbie+ only it will communicate with Sbie+ and log the data to the trace log of plus.
the version I'm using right now is: https://xanasoft.com/Downloads/LogAPI.zip
I men't for a long time to add it to the normal release, but the code quality is really not great on that DLL and i did not wanted to put it into the repo.
You can also use the log syscall's option from the sbie driver but this causes far to much output, i should add a log to file only option
the version I'm using right now is: https://xanasoft.com/Downloads/LogAPI.zip
I men't for a long time to add it to the normal release, but the code quality is really not great on that DLL and i did not wanted to put it into the repo.
You can also use the log syscall's option from the sbie driver but this causes far to much output, i should add a log to file only option
-
- Posts: 5
- Joined: Sat Sep 18, 2021 1:28 pm
Re: How to get malawre trace in sandboxie?
After configuring in sandboxie.ini to enable dll injection, like this:
I've also read the documentation on https://sandboxie-plus.com/sandboxie/openpipepath/ and https://github.com/sandboxie-plus/LogApiDll
However, I'm still confused about the pipe, how do I set up and open the pipe server? Please help.
Code: Select all
InjectDll=C:\logAPI\logapi32.dll
InjectDll64=C:\logAPI\logapi64.dll
OpenPipePath=\Device\NamedPipe\LogAPI
However, I'm still confused about the pipe, how do I set up and open the pipe server? Please help.
- DavidXanatos
- Posts: 340
- Joined: Fri Mar 19, 2021 11:26 am
Re: How to get malawre trace in sandboxie?
The pipe server is deprecated since a few versions, the new LogAPI Dll logs the entries directly through teh drivers rtace functionality.
Just put the LogAPI directroty in your sandboxies instalation fodler and check the lowest chechbox in the trace settings than it wil make all the nececery ini modifications for you
Just put the LogAPI directroty in your sandboxies instalation fodler and check the lowest chechbox in the trace settings than it wil make all the nececery ini modifications for you
-
- Posts: 5
- Joined: Sat Sep 18, 2021 1:28 pm
Re: How to get malawre trace in sandboxie?
Hi,
I'm currently using Sandboxie-Plus, and have read some of the documentation, but I'm still confused.
Apart from copying through trace logs directly, and getting reports via "C:\Sandbox\IEUser\DefaultBox\user\all\Microsoft\Windows\WER\ReportArchive"
how to get all reports related to trace logs and others, which have been logged in the folder?
thank you
I'm currently using Sandboxie-Plus, and have read some of the documentation, but I'm still confused.
Apart from copying through trace logs directly, and getting reports via "C:\Sandbox\IEUser\DefaultBox\user\all\Microsoft\Windows\WER\ReportArchive"
how to get all reports related to trace logs and others, which have been logged in the folder?
thank you
-
- Posts: 5
- Joined: Sat Sep 18, 2021 1:28 pm
Re: How to get malawre trace in sandboxie?
Hello,
I want to ask, when using the Sandboxie, can we or the Sandboxie directly send the trace to the host computer?
I mean, is there any trace of its execution that the host can see on specific storage or folder? so that it can be analyzed later? please help, thank you very much
I want to ask, when using the Sandboxie, can we or the Sandboxie directly send the trace to the host computer?
I mean, is there any trace of its execution that the host can see on specific storage or folder? so that it can be analyzed later? please help, thank you very much