How to get malawre trace in sandboxie?

Post Reply
yohanesray
Posts: 5
Joined: Sat Sep 18, 2021 1:28 pm

Execution Traces Sandboxie

Post by yohanesray »

I am using Sandboxie on Windows 10 operating system.
How do I get Execution Traces from the Host after I run malware, programs, or files in Sandboxie? can I use the API to get it?

nanababy
Posts: 2
Joined: Sun Sep 19, 2021 1:07 pm

How to get malawre trace in sandboxie?

Post by nanababy »

hello I'm a newbie in malware analysis and trying to get the trace of malware that execution in sandboxie. Is it possible to get it without API? thankyou

User avatar
DavidXanatos
Posts: 340
Joined: Fri Mar 19, 2021 11:26 am

Re: How to get malawre trace in sandboxie?

Post by DavidXanatos »

Are you the same user?

About the question you can use the resource access monitor to trace what a program is doing, you can enable additional tracing in the advanced box options, and you can add the LogAPI dll to get additional trace output about interesting function calls.

yohanesray
Posts: 5
Joined: Sat Sep 18, 2021 1:28 pm

Re: How to get malawre trace in sandboxie?

Post by yohanesray »

Thanks for the reply,

No, we are different users, but we are in one team working on a final project on campus.

Currently, we want to get an execution trace when running the malware. I've tried resource access monitors to keep track of what a program is doing. I'm using Sandboxie classic v5.51.3.

I've read quite a lot about Buster Sandbox Analyzer, so is it true that if I want to add LogAPI dll, I should use BSA https://bsa.isoftware.nl/ ?

User avatar
DavidXanatos
Posts: 340
Joined: Fri Mar 19, 2021 11:26 am

Re: How to get malawre trace in sandboxie?

Post by DavidXanatos »

They use the same DLL but its configured differently the when used with BSA it wil communicate with the BSA tool, if used without with Sbie+ only it will communicate with Sbie+ and log the data to the trace log of plus.

the version I'm using right now is: https://xanasoft.com/Downloads/LogAPI.zip
I men't for a long time to add it to the normal release, but the code quality is really not great on that DLL and i did not wanted to put it into the repo.

You can also use the log syscall's option from the sbie driver but this causes far to much output, i should add a log to file only option

yohanesray
Posts: 5
Joined: Sat Sep 18, 2021 1:28 pm

Re: How to get malawre trace in sandboxie?

Post by yohanesray »

After configuring in sandboxie.ini to enable dll injection, like this:

Code: Select all

InjectDll=C:\logAPI\logapi32.dll
InjectDll64=C:\logAPI\logapi64.dll
OpenPipePath=\Device\NamedPipe\LogAPI
I've also read the documentation on https://sandboxie-plus.com/sandboxie/openpipepath/ and https://github.com/sandboxie-plus/LogApiDll
However, I'm still confused about the pipe, how do I set up and open the pipe server? Please help.

User avatar
DavidXanatos
Posts: 340
Joined: Fri Mar 19, 2021 11:26 am

Re: How to get malawre trace in sandboxie?

Post by DavidXanatos »

The pipe server is deprecated since a few versions, the new LogAPI Dll logs the entries directly through teh drivers rtace functionality.

Just put the LogAPI directroty in your sandboxies instalation fodler and check the lowest chechbox in the trace settings than it wil make all the nececery ini modifications for you

yohanesray
Posts: 5
Joined: Sat Sep 18, 2021 1:28 pm

Re: How to get malawre trace in sandboxie?

Post by yohanesray »

Hi,
I'm currently using Sandboxie-Plus, and have read some of the documentation, but I'm still confused.
Apart from copying through trace logs directly, and getting reports via "C:\Sandbox\IEUser\DefaultBox\user\all\Microsoft\Windows\WER\ReportArchive"
how to get all reports related to trace logs and others, which have been logged in the folder?
thank you

yohanesray
Posts: 5
Joined: Sat Sep 18, 2021 1:28 pm

Re: How to get malawre trace in sandboxie?

Post by yohanesray »

Hello,
I want to ask, when using the Sandboxie, can we or the Sandboxie directly send the trace to the host computer?
I mean, is there any trace of its execution that the host can see on specific storage or folder? so that it can be analyzed later? please help, thank you very much

Post Reply