aftabali Posted August 29, 2014 Share Posted August 29, 2014 THIS IS THE BASIC TUTORIAL TO BYPASS ANTI-SANDBOXIE USING OLLYDBG Many people were curious to know how to bypass the antisandboxie server. To do this we need to unpack the malware ,if it has only upx compression then we need to unpack it too or any other protection. I am not good at ollydbg or anything that is related to RCE so i will only show you the basic to bypass anti-sandboxie problem for this purpose i will give you,how the code works and how to patch it. I don't know how to unpack malware for that you should learn RCE a little bit. So i will be using simple anti servers. I am going to use two type of servers sub7 rat server (anti-sandboxie) IRC bot server (anti-joebox) Note:This method should work on all antis Antiwireshark Antivmware etcetc Some Information Some strings provide insights in the following layers of anti-analysis: Sbiedll.dll SandboxieRpcSs.exe SandboxieDcomLaunch.exe VBoxService.exe wireshark.exe joeboxserver.exe joeboxcontrol.exe Sandboxie and joebox are two commonly used sandboxing softwares. Here is the tutorial on sub7 ___________________________________________________________________________________________________________ Now for IRC bot This bot was packed with upx got it unpacked from a friend. Running the binary using Sandboxie with Buster Sandbox Analyzer yields the following results: Detailed report of suspicious malware actions: Checked for debuggers Created a mutex named: DBWinMutex Defined Log_API entry: Anti-Malware Analyzer routine: OllyDbg detection Defined Log_API entry: Checks for FireFox browser software presence Defined Log_API entry: Checks for Microsoft Windows Security Center Notification software presence Defined Log_API entry: Checks for OllyDbg software presence Detected Anti-Malware Analyzer routine: Sandboxie detection Enumerated running processes Got computer name Terminated process: c:\<...>\unpacked210.exe The execution stops without further action. So let's run the unpacked executable in OllyDbg and see if it is possible to find and twart the detections listed above. Analysis processes detection The first anti-analysis routine is related to the detection of the following processes: This is the hidden content, please Sign In or Sign Up The detection routine is as follow for each process name to detect: - create a snapshot of the currently running processes - compare current process's name (obtain using Process32First) with the name of the process to detect - if a match is found and exception is raised an the process terminates (crashes) - otherwise, the next running process is retreived (using Process32Next) and its name is compared This routine is illustrated hereunder. This is the hidden content, please Sign In or Sign Up To bypass this detection, the binary can be patched: when the name of the process to detect is pused on the stack, the offset of the string in the binary can be modified to truncate the value on the stack: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up PATCHED IT TOO SUCCESSFULLY :D Link to comment Share on other sites More sharing options...
Recommended Posts