Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-26-2018, 06:09
wassim_ wassim_ is offline
Friend
 
Join Date: Nov 2002
Posts: 104
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 14
Thanks Rcvd at 10 Times in 4 Posts
wassim_ Reputation: 2
safeEngine sandboxie and vmware detection

Hello.

Anyone knows how to circumvent safeEngine's detection of sandboxie and/or vmware (Safengine version 2.4.0)? I have a target I wish to run as to extract some dlls embedded in it and I don't want to risk getting my debug machine messed up by malware (the file is risky as it is detected by *some* online virus scanners as being a trojan, it might be a false positive thoug...)

Thank you in advance.

Last edited by wassim_; 06-26-2018 at 06:17.
Reply With Quote
  #2  
Old 07-14-2018, 15:04
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Hello,

I don't know of a ready solution, but I may have an idea how it may detect sandboxie.
Since the 64bit version sandboxie, afaik it no longer uses the driver for access redirection but instead the injected DLL, the driver is only used to enforce access restrictions.
So if I would try to detect if my application runs under sandboxie I would try to bypass possible redirection's implemented by dll hooking and compare the results with accessing files the normal way.

Cheers
David X.
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
wassim_ (07-14-2018)
  #3  
Old 07-14-2018, 17:30
Megin Megin is offline
Banned User
 
Join Date: Jul 2018
Posts: 30
Rept. Given: 0
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 77
Thanks Rcvd at 97 Times in 39 Posts
Megin Reputation: 4
Quote:
Originally Posted by wassim_ View Post
Hello.

Anyone knows how to circumvent safeEngine's detection of sandboxie and/or vmware (Safengine version 2.4.0)? I have a target I wish to run as to extract some dlls embedded in it and I don't want to risk getting my debug machine messed up by malware (the file is risky as it is detected by *some* online virus scanners as being a trojan, it might be a false positive thoug...)

Thank you in advance.
Share the target. I am ready to help.
Reply With Quote
The Following User Says Thank You to Megin For This Useful Post:
wassim_ (07-14-2018)
  #4  
Old 07-14-2018, 19:02
wassim_ wassim_ is offline
Friend
 
Join Date: Nov 2002
Posts: 104
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 14
Thanks Rcvd at 10 Times in 4 Posts
wassim_ Reputation: 2
Quote:
Originally Posted by DavidXanatos View Post
Hello,

I don't know of a ready solution, but I may have an idea how it may detect sandboxie.
Since the 64bit version sandboxie, afaik it no longer uses the driver for access redirection but instead the injected DLL, the driver is only used to enforce access restrictions.
So if I would try to detect if my application runs under sandboxie I would try to bypass possible redirection's implemented by dll hooking and compare the results with accessing files the normal way.

Cheers
David X.
it's simply refusing to run under sandboxie, it doesn't bypass the sandbox isolation as far as I know.
Reply With Quote
  #5  
Old 07-14-2018, 19:56
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Quote:
Originally Posted by wassim_ View Post
it's simply refusing to run under sandboxie, it doesn't bypass the sandbox isolation as far as I know.
I got that, I was just speculating out how it could check wether its in a sandbox or not. Using know limitations of the 64bit sandbixie implementation as i understand them.
Reply With Quote
Reply

Tags
safeengine, sandboxie, vmware

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to hide VirtualBox, Virtual PC and VMware from Detection ZeNiX General Discussion 3 04-08-2010 10:13


All times are GMT +8. The time now is 17:29.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )