8. Appendix A - Hiding Sandboxie



One of the flaws that affects to malware analyzers in general is that malwares can detect they are running under the supervision of a malware analyzer and in such case terminate execution and therefore prevent the analysis.


It's really difficult, if not impossible, to completely hide a publicly available malware analyzer because there are too many methods to detect the presence of this kind of software.


Having this in mind from version 1.06 I have added certain countermeasures to prevent Sandboxie becomes easily detected by sandboxed applications. For obvious reasons I will not give technical details about what methods have been used to do this. I will explain only the basic stuff to get countermeasures working properly.


From version 1.51 BSA uses its own driver to hide Sandboxie´s processes. By default the driver is named BSA.SYS but it can be renamed. The driver must be located in BSA folder, where BSA.EXE is placed, and the extension must be .SYS.


From version 1.64 service name can be modified and the service can be configured to run on demand or autostart.


Note: BSA requires admin privileges in order to install and run the driver.


The driver can be automatically installed and executed if you enable next feature: “Options > Program Options > Hide Sandboxie”.


The status of the driver can be checked at “Utilities > Sandbox > Processes > Hide Sandboxie”. From there you can install, uninstall, start and stop the driver.


The driver will also hide Buster Sandbox Analyzer´s process when it´s executed as BSA.EXE.


Note: From version 1.37 LOG_API.DLL can have any file name.


Note: BSA.SYS will not work on 64-bit systems, so in these systems Sandboxie will more be exposed to detection than in 32-bit systems.