Sandboxing - Question

MALHunter

MALHunter

Level 1
Thread author
Oct 3, 2016
6
Hello everyone ! It's my first post here and I need to your help about malware sandboxing.
I want to obtain some information about malware sandbox mechanism.
What mechanism is used for extracting information (such as system call) in kernel mode and user mode sandboxes?(in other word What's the difference between a kernel mode sandbox and user mode sandbox?)
Please Introduce some malware sandbox that used kernel mode and user mode sandboxing?
 
  • Like
Reactions: Wave, Der.Reisende, Logethica and 1 other person
W

Wave

There are many different methods when it comes to sandboxing programs however without manual analysis on specific sandboxing software it's hard to determine what techniques are being utilised (unless specified publicly by the vendor).

MALHunter said:
What mechanism is used for extracting information
Click to expand...
API hooking - most sandboxing software will evolve around this method since it allows the sandbox software to alter the execution flow of the target program and intercept upon certain API calls (which are targeted) and then continue to either redirect/block the actions entirely or just log it and allow it to pass through. Of course nothing is bullet-proof and everything has flaws however this method is also commonly found for the internals of most BB/HIPS/Dynamic Heuristics functionality in traditional AV/IS software (and also can be used for self-protection mechanisms in security software).

On x64 systems you won't really find kernel-mode sandboxing techniques being utilised - you can find sandbox software making use of File system Mini-filter drivers to restrict access to specific folders/files, but you won't find sandboxing software using kernel-patching techniques due to KPP (Kernel Patch Protection) which is integrated into PatchGuard (one of the Windows security features which was introduced at the start of Windows Vista for x64 versions of the OS only).

On x86 systems sandboxing software can be much more secure since it can utilise kernel-patching techniques (e.g. hook the System Service Dispatch Table) and thus this makes bypassing the sandbox software much more difficult - this is due to not being able to escape the hooks without unhooking of the SSDT which would require kernel-mode components (and if the sandbox restricted the program properly it would be unable to load a device driver to give it the advantage and power of escaping the sandbox).

Most of the time you'll find sandboxing software using user-mode (ring 3) hooks (e.g. IAT/EAT hooking techniques - this is the practise of modifying the pointer addresses for a function in the IAT/EAT table to the pointer address of the callback function, which will result in code execution flow modification so the new callback function is invoked when the target hooked function is called by the affected program/s). The main downside of these techniques is that sandboxed malware can potentially find methods of escaping the sandbox due to manual implementation of the function prologue (e.g. NTAPI) they want to call/system calls, thus evading the set hooks without alarming the sandboxing software - instead of this an alternate would be to just attempt to remove the hooks and then call the functions as it normally would.

However kernel-mode patching for sandboxing is much more difficult than just some kernel-mode hooking techniques since it's system-wide and thus results in affecting all running programs (so lots of work to polish it up to work right is necessary), therefore it won't work as well as user-mode hooking (which would only affect the target programs which have the sandbox code injected into them), regardless of if kernel-mode patching is more secure than user-mode patching methods - user-mode methods are much more stable since it won't result in a system-wide crash if something goes wrong, also.

Aside from API hooking methods there are other sandboxing methods which may come into role:
One idea for sandboxing would be to run the target program as a child to a container parent process which has restricted access (running with lower priorities) and therefore if the system did end up becoming compromised due to the malware bypassing the sandbox, it'd face the new problem of being ran with restricted privileges due to the OS restrictions (since the process would be of a low authority and wouldn't be able to carry out specific actions without being higher up). I believe many sandbox software use this method, maybe even Sandboxie also.

As an example, I believe Sandboxie utilises kernel-mode patching on x86 systems via use of it's device driver/s however on x64 systems it will be working with user-mode patching methods (e.g. IAT hooking) - it most likely uses device drivers on x64 systems also for some things (possibly a file system mini-filter driver for file/folder restriction). Please do correct me if I am wrong.

When it comes to isolation, virtualisation is a much better and secure approach compared to sandboxing and therefore if you are considering of testing malware then I recommend you just stick to a Virtual Machine since escaping a VM is a complete new story than a sandbox... Most VM exploits are due buffer overflow attacks and exploiting of vulnerabilities found in the VM additional features (such as: Shared Folder, shared Clipboard, etc) - and are much harder to identify and actually exploit.

Hope this helped and if I misunderstood your question then I do apologise!

Stay safe,
Wave. :)
 
Last edited by a moderator:
  • Like
Reactions: SHvFl, tim one, Meganono and 8 others
MALHunter

MALHunter

Level 1
Thread author
Oct 3, 2016
6
Wave said:
There are many different methods when it comes to sandboxing programs however without manual analysis on specific sandboxing software it's hard to determine what techniques are being utilised (unless specified publicly by the vendor).


API hooking - most sandboxing software will evolve around this method since it allows the sandbox software to alter the execution flow of the target program and intercept upon certain API calls (which are targeted) and then continue to either redirect/block the actions entirely or just log it and allow it to pass through. Of course nothing is bullet-proof and everything has flaws however this method is also commonly found for the internals of most BB/HIPS/Dynamic Heuristics functionality in traditional AV/IS software (and also can be used for self-protection mechanisms in security software).

On x64 systems you won't really find kernel-mode sandboxing techniques being utilised - you can find sandbox software making use of File system Mini-filter drivers to restrict access to specific folders/files, but you won't find sandboxing software using kernel-patching techniques due to KPP (Kernel Patch Protection) which is integrated into PatchGuard (one of the Windows security features which was introduced at the start of Windows Vista for x64 versions of the OS only).

On x86 systems sandboxing software can be much more secure since it can utilise kernel-patching techniques (e.g. hook the System Service Dispatch Table) and thus this makes bypassing the sandbox software much more difficult - this is due to not being able to escape the hooks without unhooking of the SSDT which would require kernel-mode components (and if the sandbox restricted the program properly it would be unable to load a device driver to give it the advantage and power of escaping the sandbox).

Most of the time you'll find sandboxing software using user-mode (ring 3) hooks (e.g. IAT/EAT hooking techniques - this is the practise of modifying the pointer addresses for a function in the IAT/EAT table to the pointer address of the callback function, which will result in code execution flow modification so the new callback function is invoked when the target hooked function is called by the affected program/s). The main downside of these techniques is that sandboxed malware can potentially find methods of escaping the sandbox due to manual implementation of the function prologue (e.g. NTAPI) they want to call/system calls, thus evading the set hooks without alarming the sandboxing software - instead of this an alternate would be to just attempt to remove the hooks and then call the functions as it normally would.

However kernel-mode patching for sandboxing is much more difficult than just some kernel-mode hooking techniques since it's system-wide and thus results in affecting all running programs (so lots of work to polish it up to work right is necessary), therefore it won't work as well as user-mode hooking (which would only affect the target programs which have the sandbox code injected into them), regardless of if kernel-mode patching is more secure than user-mode patching methods - user-mode methods are much more stable since it won't result in a system-wide crash if something goes wrong, also.

Aside from API hooking methods there are other sandboxing methods which may come into role:
One idea for sandboxing would be to run the target program as a child to a container parent process which has restricted access (running with lower priorities) and therefore if the system did end up becoming compromised due to the malware bypassing the sandbox, it'd face the new problem of being ran with restricted privileges due to the OS restrictions (since the process would be of a low authority and wouldn't be able to carry out specific actions without being higher up). I believe many sandbox software use this method, maybe even Sandboxie also.

As an example, I believe Sandboxie utilises kernel-mode patching on x86 systems via use of it's device driver/s however on x64 systems it will be working with user-mode patching methods (e.g. IAT hooking) - it most likely uses device drivers on x64 systems also for some things (possibly a file system mini-filter driver for file/folder restriction). Please do correct me if I am wrong.

When it comes to isolation, virtualisation is a much better and secure approach compared to sandboxing and therefore if you are considering of testing malware then I recommend you just stick to a Virtual Machine since escaping a VM is a complete new story than a sandbox... Most VM exploits are due buffer overflow attacks and exploiting of vulnerabilities found in the VM additional features (such as: Shared Folder, shared Clipboard, etc) - and are much harder to identify and actually exploit.

Hope this helped and if I misunderstood your question then I do apologise!

Stay safe,
Wave. :)
Click to expand...
 
  • Like
Reactions: DardiM and Logethica
W

Wave

MALHunter said:
Please Introduce some Paper or Book or URL for more examination.
Click to expand...
Sorry but I'm afraid I don't actually have any resources related to sandbox development (e.g. which techniques are used and how they are implemented) to share (if I did then I would edit them into the original post). I wrote the above based off my own personal experience on security software development.

You can try searching around popular search engines like Google to see if you can find any additional resources on other third-party forums however if you do decide to do this I would keep your eyes open because a lot of forums are more about escaping sandbox mechanisms (or detecting presence of them to alter malicious behaviour) rather than about development of security software - and such forums contain malware authors more often than security researchers with good intentions and therefore you shouldn't trust them and should stay away from those areas.

If you want to learn more about theory behind API hooking/device driver development (or even maybe find a starting point to programming implementation) then I really suggest you take a look at forums like CodeProject & StackOverflow, there are many old threads with good information for an educational standing point. You'll have to do some digging though.
 
  • Like
Reactions: SHvFl, tim one, Der.Reisende and 5 others
W

Wave

As an addition to my previous response (back from October) I would like to add that some more sophisticated sandboxing systems such as the ones implemented in software like Comodo Firewall most likely utilise real virtualisation via Intel VT-x and AMD-V (SVM - Secure Virtual Machine) technology - the same method used by virtualisation software (Virtual Machines) like VMWare Workstation and VirtualBox.

Of course, real virtualisation via this method is the best in terms of sandboxing strength/security, it would be much more difficult to break this protection (e.g. escape the sandboxing), whereas with the standard "sandbox" approach of API hooking methods (e.g. user-mode API hooking) is quite simple for a malware author to bypass as long as he has experience with Windows internals and knows what he is doing with malware development in general.

Check these for additional useful information (potentially):
http://www.intel.com/design/intarch/papers/316087.pdf
Developer Guides, Manuals & ISA Documents - AMD
http://www.mimuw.edu.pl/~vincent/lecture6/sources/amd-pacifica-specification.pdf
21.10. Enabling Intel VT-x and AMD-V Virtualization Hardware Extensions in BIOS

@MALHunter If you are developing a sandbox product I recommend you take the real virtualisation route. Depending on different factors you may even be able to get permission to utilise the VirtualBox engine (via your own software) which is what Avast does for the DeepScreen feature. Comodo also utilise VT-x and AMD-V (SVM) technology for their sandboxing. I do not believe Sandboxie use this method since I found no evidence of this when I checked - it appears Sandboxie mostly relies on things like API hooking (SbieDll.dll hooks as many functions as it can, even MessageBoxA/W functions from User32.dll) and runs the program under a different user (most likely in the case of sandbox compromises to prevent the sample from being able to access outside of the isolated user account).

That being said, to work with virtualisation your system will need to exceed some specific minimum requirements... For example, depending on the virtualisation factors will depend on you needing to meet specific requirements of RAM. As well as this, your processor to your system will need to actually support virtualisation and it'll need to be enabled from the BIOS... This is why some systems (typically older ones) cannot entitle themselves to making use of Comodo Sandbox/Avast DeepScreen/Virtual Machines sometimes, due to not meeting such requirements.

I am currently studying VT-x and AMD-X (SVM) and can definitely vouch for it being good and useful. You can even develop your own Virtual Machine software with it if you learn enough about it (and can figure out how to utilise it).

Hope this helped someone out there, good luck. ;)
 
Last edited by a moderator:
  • Like
Reactions: DardiM, MALHunter, Logethica and 10 others
You must log in or register to reply here.

Similar threads

D
  • Locked
I need to detect a kernel rootkit
Replies
12
Views
741
Windows Malware Removal Help & Support
nasdaq
nasdaq
A
    • Like
Question Does Sandboxie Plus Support Advanced Security Tweaks in Windows 11?
Replies
1
Views
842
Sandboxie
DavidXanatos
DavidXanatos
enaph
    • +Reputation
    • Like
New Update macOS 14.4 brings 50+ security fixes, iOS 17.4 patch list expands to over 40
Replies
1
Views
327
macOS, iOS & iPadOS
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top