Buster Sandbox Analyzer - Portable Weakness Analysis System - Sandboxie

Readers are probably familiar with Buster Sandbox Analyzer and Sandboxie. Their essence is launching a suspicious file in a sandbox with tracking changes made to the system (nothing is added to the real system). Who has not heard anything at all - you can leave this topic, you will not be interested. Or go here and get enlightened: bsa.isoftware.nl

Much has been said about setting up the system on Habré, in the Hacker magazine, and in a number of forums. The main problem was in the initial setup - how to set, what to change, what to register.

Therefore, I tensed up a bit, along the way, strained several more good people - and made a portable version of this complex. A constantly updated link to it is here: tools.safezone.cc/gjf/Sandboxie-portable.zip
')
Frankly speaking, I will not discuss how to use Buster Sandbox Analyzer, what and how to identify malicious in this thread. Only the portable assembly will be discussed. For her - everything is simple.

1. You must start the system using the start.cmd file. Run as Administrator.

2. Initially, the system is configured in Russian. If you want a different language to be chosen - write the code page number in the Language.txt file, which is in the Templates folder. Or delete this file altogether - the language of the installed system will be used.

3. At the end of the work, run stop.cmd. All settings will be saved in the corresponding files in the Templates folder, and the system will be unloaded. If you need to return the default settings - run the Templates.exe file in the folder of the same name, it will unpack the source files.

ATTENTION : The Sandboxie driver does not allow to be fully unloaded before rebooting. Therefore, if you start stop.cmd and then decide to start working again, you will have to reboot the system before restarting start.cmd.

A few words about BSA.ini.template and sandboxie.ini.template in the Templates folder.

In essence, these are the BSA and Sandboxie settings files, which are pushed into the system during operation, and then written back to Templates at the end.

The parameters that change there are the documented parameters of each of the programs. But there are added nuances, which I will talk about.

BSA.ini.template
The following templates can be written in the file:
$ (Language) - language code page
$ (InstallDrive) - disk from which the portable system is running
$ (InstallPath) - the folder from which the portable system is running

Sandboxie.ini.template
$ (InstallDrive) - disk from which the portable system is running
$ (InstallPath) - the folder from which the portable system is running
In the Sandboxie.ini.template file, these templates work only for the FileRootPath and InjectDll parameters.

In fact, during the execution of start.cmd, the templates are converted to the corresponding values, and after the execution of stop.cmd, they are converted back into templates and returned to the Templates folder.

By default, Sandboxie is configured for four sandboxes:
BSA - for analysis using Buster Sandbox Analyzer
Secure - for safe execution of applications (browsers, etc.)
Undelete - to run applications with saving all created files (even if the executable model will try to delete them) - ATTENTION : a number of installers in this sandbox will not work
Unpack - for unpacking installers (imaginary installation in a sandbox)

Nevertheless, you are free to create as many new sandboxes as you like, their settings will be saved at the end of the work in files from Templates.

The complex is made on the basis of the shareware-license Sandboxie, it is fully functional with the restrictions imposed by the author. Restrictions can be lifted by inquisitive minds, but in this case, you violate the terms of the licensed use and act against the law ! (I had to warn you).

Certainly, there will be those who say that command scripts are lamers, everything could be made more pleasant, etc. Unfortunately, or fortunately, at the time of this writing, I did not know any more convenient Sandboxie portabelization options with processing text files of parameters in Unicode and ASCII. Therefore, I did it as best I could, please do not judge strictly, and who can do better, let him try, I will be just glad.