Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

The Visible Sandbox > cwsandbox.exe - Pg. 68

68 Chapter3·BuildingaSandbox cwsandbox.exe The cwsandbox.exe is a noninteractive console application, as it expects--and needs--no user input during its execution. The only possible input is CTRL+C, which is the standard Windows shortcut for terminating console applications. If termination is not ended prematurely by using this shortcut, the sandbox runs until all malware processes have terminated, a custom timeout is reached, or some critical event has occurred that requires an instant termination of the malware processes. During its runtime the following tasks are performed: The malware process is started in suspended mode, such that the process object is created and all modules are loaded, but no single instruction is executed yet The cwmonitor.dll is injected into this new process Runtime options and information are exchanged with this DLL Throughout the execution notifications are received from the DLL inside of each monitored process; depending on the received notification, some decisions have to be made by the sandbox; the DLL then waits for this decision and continues in the way the sandbox decided; however, in most cases no decision is needed and the DLL simply routes the call to the original API function after sending the notification After all processes have terminated or a given timeout is reached, all still running processes are terminated or the created malicious threads are stopped if their parent processes cannot be terminated safely, as it is the case with essential Windows processes like winlogon.exe Under some circumstances the malware is terminated before the timeout occurs, for example to prevent serious harmful actions A high level analysis report is created from the collected data Optionally, a .cab file archive is created from all the monitored data and some additional files Besides the monitoring of the relevant API function calls, the sandbox also offers some helpful features for a manual postprocessing step of the results. Some of the most important features are enabled with the configuration options STORE_ CREATED_FILES and DUMP_PROCESSES. The first one provides that a copy of all newly created files is written into the .cab file. By this, you can get the data of