search

sandboxie-plus / LogApiDll

API logging Library for Buster Sandbox Analyzer
https://bsa.isoftware.nl/
45 stars 27 forks source link

Nt API calls in trace not piped? #2

Open ContegoCode opened 1 month ago

ContegoCode commented 1 month ago

Using LogAPI both release and verbose works but I cannot seem to get the Native system calls to show up as it does in sandboxie plus. for example in the sandbox I see |Process| |Type| |Status| |Value|

Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtClose
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtClose
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtQueryKey
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtOpenKeyEx
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtQueryValueKey
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtQueryValueKey
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtClose

But when I use LogAPI and pipe the information to my application I get: Executing(26952): C:\Windows\regedit.exe

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000010000) [c:\windows\regedit.exe]

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000004000) [c:\windows\regedit.exe]

QuerySystemInformation(SystemBasicInformation) [c:\windows\regedit.exe]

QuerySystemInformation(SystemProcessorInformation) [c:\windows\regedit.exe]

QueryProcessInformation(\Device\HarddiskVolume10\Windows\regedit.exe, ProcessImageInformation) [c:\windows\regedit.exe]

CreateEvent(SBIE_BOXED_ServiceInitComplete_RpcSs) [c:\windows\regedit.exe]

CreateThread() [c:\windows\regedit.exe]

ResumeThread(27024) [c:\windows\regedit.exe]

OpenProcessToken(\Device\HarddiskVolume10\Windows\regedit.exe, TOKEN_QUERY, TOKEN_READ) [c:\windows\regedit.exe]

FindWindow(RegEdit_RegEdit, null) [c:\windows\regedit.exe]

CreateEvent(null) [c:\windows\regedit.exe]

GetModuleHandle(shell32.dll) [c:\windows\regedit.exe]

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000010000) [c:\windows\regedit.exe]

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000004000) [c:\windows\regedit.exe]

I am fairly sure this must be a simple fix but I also figured any traces enabled in sandboxie plus that are outputted to the trace window will be piped also and not just the User calls. thank you for all your hard work! I look very much forward to hearing your reply as I am stuck at the moment. Screenshot 2024-07-01 212548

Here is my config file:

#

Sandboxie configuration file

#

[GlobalSettings] FileRootPath=C:\Users\Cobal\OneDrive\Desktop\Dynamic Extractor\Dynamic Extractor\bin\x64\Debug\Sandbox\%SANDBOX% Template=WindowsRasMan Template=WindowsLive Template=Edge_Fix Template=OfficeLicensing Template=NotepadPlusPlusfix Template=OfficeClickToRun ApproveWinNtSysCall=SubscribeWnfStateChange TraceLogging=y DefaultBox=DefaultBox KeyRootPath=\REGISTRY\USER\Sandbox%USER%%SANDBOX% IpcRootPath=\Sandbox\%USER%\%SANDBOX%\Session%SESSION%

[UserSettings_0C080202] SbieCtrl_UserName=cobal SbieCtrl_BoxExpandedView=DefaultBox SbieCtrl_AutoStartAgent=SandMan.exe -autorun SbieCtrl_WindowCoords=1226,164,498,299 SbieCtrl_ActiveView=40021 SbieCtrl_ProcessViewColumnWidths=250,70,300 SbieCtrl_NextUpdateCheck=1719589864 SbieCtrl_EnableAutoStart=n SbieCtrl_HideMessage=y BoxGrouping=:DefaultBox

[DefaultBox] Enabled=y BlockNetworkFiles=y BorderColor=#00ffff,off,6 Template=OpenBluetooth Template=SkipHook Template=FileCopy Template=qWave Template=BlockPorts Template=LingerPrograms Template=AutoRecoverIgnore ConfigLevel=10 ApiTrace=y InjectDll=C:\Users\Cobal\OneDrive\Desktop\Dynamic Extractor\Extractor\bin\x64\Debug\Sandbox\logapi32.dll InjectDll64=C:\Users\Cobal\OneDrive\Desktop\Dynamic Extractor\Dynamic Extractor\bin\x64\Debug\Sandbox\logapi64.dll OpenPipePath=\Device\NamedPipe\LogAPI OpenWinClass=TFormBSA NotifyDirectDiskAccess=y MsiInstallerExemptions=y ProcessLimit1=20 ProcessLimit2=30 BoxNameTitle=- CopyLimitKb=102400 PromptForFileMigration=n CopyLimitSilent=y ConfigLevel=8 ClosedFilePath=!, ClosedFilePath=! TraceNetworkAccess=y FakeAdminRights=y CoverBoxedWindows=y RpcMgmtSetComTimeout=n ClosedIpcPath=,* OpenClipboard=n LingerExemptWnds=n LingerLeniency=n ProcessGroup=,vmconnect.exe,securekernel.exe,memtest.exe AutoDelete=y

kokofixcomputers commented 1 month ago

@DavidXanatos Please take a look :) Thanks

DavidXanatos commented 1 month ago

Well this has a very good reason, the system calls are not captured by LogAPI dll but by the sandboxie driver directly. So what you want to do wont easily work, one could add additional hooks or syscall instrumentation to logapi but thats currently not have been implemented.

ContegoCode commented 1 month ago

ok noticed a release was just published which was 1.14.3 is it in the works to maybe have a CLI option to save all enabled trace output to log file?

ContegoCode commented 1 month ago

Ok so I could implement a communication port within the driver maybe?

From: DavidXanatos @.> Sent: July 1, 2024 11:55 PM To: sandboxie-plus/LogApiDll @.> Cc: ContegoCode @.>; Author @.> Subject: Re: [sandboxie-plus/LogApiDll] Nt API calls in trace not piped? (Issue #2)

Well this has a very good reason, the system calls are not captured by LogAPI dll but by the sandboxie driver directly. So what you want to do wont easily work, one could add additional hooks or syscall instrumentation to logapi but thats currently not have been implemented.

— Reply to this email directly, view it on GitHubhttps://github.com/sandboxie-plus/LogApiDll/issues/2#issuecomment-2201997297, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKWKYRAEMDZFBUB7HV6W3LDZKI6DPAVCNFSM6AAAAABKGVPZ6SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBRHE4TOMRZG4. You are receiving this because you authored the thread.Message ID: @.**@.>>

DavidXanatos commented 1 month ago

This issue is also present in sandboxie when running applications in app compartment mode, there the syscalls are not routed through the driver, you can look at NTSTATUS InstallInstrumentationCallback() how to log syscals in user mode, i added it recently in 1.13.x but it seams to sometimes cause crashes so i need to debug that a but more.

About log file, you can save it from the GUI, alternatively.

You could talk to the driver and receive the log instead of the GUI.

ContegoCode commented 1 month ago

I was hoping for there to be a way to get the Nt calls without the need for the sandboxie GUI or having to manually click on the save and instead have a automated way of either saving the output to log files for each process execution or somehow piping the Nt calls directly by using a communication port or some other process communication means. If this is not implemented yet should I look into the drivers callback area either preop or postop to set up something there? what would be your best opinion here?

DavidXanatos commented 1 month ago

If you can load SbieDll.dll in your project you can use its API to enable trace logging and receive events, see: SbieApi_MonitorControl and SbieApi_MonitorGetEx ideally you would need a not implemented SbieApi_MonitorGet2 but you can use SbieApi_Call instead

ContegoCode commented 1 month ago

ok so essentially if I understand you here if I import the SbieDll.dll into my project I can call on its functions or subs to get the Nt Trace data? sorry I am not familiar with a not implemented SbieApi_MonitorGet2, what or how can I use the SbieApi_Call? is the function and or sub names self explanatory and easy to use? I am coding using the .NET framework and not C or C++ for this particular project. I may need to Pinvoke?

DavidXanatos commented 1 month ago

Yes you will need P/Invoke, I never implemented SbieApi_MonitorGet2 as the old UI has only a very rudimentary trace log and the new UI does not use SbieDll.Dll instead a newly implemented Qt based API Library which for you is NOT Usefull as you surely don't ant the entire Qt framework as a dependency in your .NET project. SbieApi_Call is a variable argument function, seams in .NET its a bit tricky to use one of those but possible: https://stackoverflow.com/questions/2124490/what-is-the-proper-pinvoke-signature-for-a-function-that-takes-var-args And it takes the message ID as first argument, the parameter count as second and then the 0-7 arguments. look at bool CSbieAPI::GetMonitor() in the new QSbieApi.dll source, it takes 2 arguments buffer length and pointer. And gives you a bunch of results all together to be split apart "manually" this offers a much better performance then retrieving the trace data one event at a time. so in C it would be something like: SbieApi_Call(API_MONITOR_GET2, 2, pMyBuffer, &MyBufferSize) MyBufferSize must be an ULONG and contain the size of teh available buffer before the call, after the call it will contain the size of data returned. A nice thing about theAPI_MONITOR_GET2 is that as part of the returned trace log entries you can obtain a full stack trace for each log entry if that was enabled in the INI before the logging was initialized.

ContegoCode commented 1 month ago

I have it almost working but SbieApi_Call does not seem to exist in the source code of QSbieApi.dll, I did find it in Start.cpp and other various places in the source, Importing QSbieApi.dll and calling SbieApi_Call also returns a entry point not found exception. API_MONITOR_GET2 seems to pertain to a undefined enum with a value of 305397832 is this the message ID? once I can correct these I believe the issue should be resolved. thank you for your hard work and help.

Here is the code I have so far:

Imports System Imports System.Runtime.InteropServices Imports System.Text

Module SbieApi Private Const QSbieApiDll As String = "QSbieAPI.dll" '(Note) SbieDll.dll gets unreadable output Private Const API_MONITOR_GET2 As Integer = 305397832

' Define the SbieApi_Call function with variable arguments using DllImport
<DllImport(QSbieApiDll, 
           CallingConvention:=CallingConvention.Cdecl, 
           CharSet:=CharSet.Ansi, 
           EntryPoint:="SbieApi_Call")>
Public Function SbieApi_Call(messageId As Integer,
                             paramCount As Integer,
                             buffer As IntPtr, 
                             ByRef bufferSize As ULong) As Integer
End Function

Public Delegate Sub TraceLogEventHandler(ByVal traceLog As String)
Public Event TraceLogReceived As TraceLogEventHandler
Public listening As Boolean = True

Public Sub ListenForTraces()
    Dim bufferSize As ULong = 1024 * 1024 ' 1 MB buffer size
    Dim buffer As IntPtr = Marshal.AllocHGlobal(CInt(bufferSize))

    Try
        While listening
            ' Call the SbieApi_Call function
            Dim result As Integer = SbieApi_Call(API_MONITOR_GET2, 2, buffer, bufferSize)

            If result = 0 Then
                ' Process the buffer
                Dim data(bufferSize - 1) As Byte
                Marshal.Copy(buffer, data, 0, CInt(bufferSize))

                ' Convert the byte array to string
                Dim traceLog As String = Encoding.UTF8.GetString(data)
                RaiseEvent TraceLogReceived(traceLog)
            Else
                ' Handle the error
                Console.WriteLine("Error retrieving trace log: " & result)
            End If
        End While
    Finally
        Marshal.FreeHGlobal(buffer)
    End Try
End Sub

End Module