Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to use wsb-detect to detect whether you are in Windows sandboxie". In daily operation, I believe many people have doubts about how to use wsb-detect to detect whether you are in Windows sandboxie. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to use wsb-detect to detect whether you are in Windows sandboxie". Next, please follow the editor to study!

Overview of wsb-detect

Wsb-detect can help researchers determine whether the application is currently running in Windows Sandbox (WSB). It is well known that Windows Defender uses sandboxie for dynamic analysis, and a lot of security analysis needs to be performed manually in sandboxie. At the end of 2019, Microsoft introduced a new feature called Windows Sandbox (WSB for short).

Windows Sandbox allows us to quickly create a Hyper-V-based virtual machine in 15 seconds with all the features common virtual machines have, such as clipboard sharing and mapping directories. This sandboxie is also the foundation of Microsoft Defender Application Guard (WDAG) for dynamic analysis on Hyper-V-enabled hosts and can be enabled on any Windows 10 Professional or Enterprise computer.

Technical details wsb_detect_time

Sandboxie's image appears to have been made at 9:14:52 on Saturday, December 7, 2019, when Windows sandbox will release it to the public. This check cross-references the creation timestamp on the mountmgr driver.

Wsb_detect_username

This method checks whether the current user name is WDAGUtilityUserAccount, the account used by default in sandboxie.

Wsb_detect_suffix

This method uses getAdapterAddresses to traverse the list of adapters and compares the DNS suffix to mshome.net, which sandboxie uses by default.

Wsb_detect_dev

Check to see if you can open the original device\\. GLOBALROOT\ device\ vmsmb, which is used to communicate with the host through SMB.

Wsb_detect_cmd

At startup, search for a command under the RunOnce key of HKEY U LOCAL_MACHINE that sets the password to never expire.

Wsb_detect_office

Check the OfficePackagesForWDAG in the current root drive, which appears to be used for Windows Defender Microsoft Office emulation.

Wsb_detect_proc

Check CExecSvc.exe, which is a container execution service that handles a large number of complex things.

Wsb_detect_genuine

When it comes to sandboxie detection, this is a more general method, but from the test, Windows does not seem to be verified as legal in the virtual machine.

Other

In addition, by checking whether a mutex named WindowsSandboxMutex can be created, you can detect whether sandboxie is running on the host. This limits each host to one virtual machine, but we can get multiple virtual machine instances by copying the handle and calling ReleaseMutex-viola to release the mutex.

Wsb-detect download

The majority of researchers can use the following command to clone the source code of the tool locally, which can then be called directly in our code:

Git clone https://github.com/LloydLabs/wsb-detect.gitwsb-detect uses

The header file detect.h can export all the detection functions of wsb-detect:

# include # include "detect.h" int main (int argc, char** argv) {/ / example vmsmb & username check if (wsb_detect_dev () | | wsb_detect_username ()) {puts ("We're in Windows Sandbox!"); return 0;} return 1;} at this point, the study on "how to use wsb-detect to detect whether you are in Windows sandboxie" is over. I hope to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.