Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   safeEngine sandboxie and vmware detection (https://forum.exetools.com/showthread.php?t=18822)

wassim_ 06-26-2018 06:09
safeEngine sandboxie and vmware detection
 
Hello.

Anyone knows how to circumvent safeEngine's detection of sandboxie and/or vmware (Safengine version 2.4.0)? I have a target I wish to run as to extract some dlls embedded in it and I don't want to risk getting my debug machine messed up by malware (the file is risky as it is detected by *some* online virus scanners as being a trojan, it might be a false positive thoug...)

Thank you in advance.

DavidXanatos 07-14-2018 15:04
Hello,

I don't know of a ready solution, but I may have an idea how it may detect sandboxie.
Since the 64bit version sandboxie, afaik it no longer uses the driver for access redirection but instead the injected DLL, the driver is only used to enforce access restrictions.
So if I would try to detect if my application runs under sandboxie I would try to bypass possible redirection's implemented by dll hooking and compare the results with accessing files the normal way.

Cheers
David X.

Megin 07-14-2018 17:30
Quote:
Originally Posted by wassim_ (Post 113769)
Hello.

Anyone knows how to circumvent safeEngine's detection of sandboxie and/or vmware (Safengine version 2.4.0)? I have a target I wish to run as to extract some dlls embedded in it and I don't want to risk getting my debug machine messed up by malware (the file is risky as it is detected by *some* online virus scanners as being a trojan, it might be a false positive thoug...)

Thank you in advance.
Share the target. I am ready to help.

wassim_ 07-14-2018 19:02
Quote:
Originally Posted by DavidXanatos (Post 113980)
Hello,

I don't know of a ready solution, but I may have an idea how it may detect sandboxie.
Since the 64bit version sandboxie, afaik it no longer uses the driver for access redirection but instead the injected DLL, the driver is only used to enforce access restrictions.
So if I would try to detect if my application runs under sandboxie I would try to bypass possible redirection's implemented by dll hooking and compare the results with accessing files the normal way.

Cheers
David X.
it's simply refusing to run under sandboxie, it doesn't bypass the sandbox isolation as far as I know.

DavidXanatos 07-14-2018 19:56
Quote:
Originally Posted by wassim_ (Post 113987)
it's simply refusing to run under sandboxie, it doesn't bypass the sandbox isolation as far as I know.
I got that, I was just speculating out how it could check wether its in a sandbox or not. Using know limitations of the 64bit sandbixie implementation as i understand them.


All times are GMT +8. The time now is 18:39.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX