Nt API calls in trace not piped?

[ContegoCode]

Using LogAPI both release and verbose works but I cannot seem to get the Native system calls to show up as it does in sandboxie plus. for example in the sandbox I see
|Process| |Type| |Status| |Value|

Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtClose
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtClose
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtQueryKey
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtOpenKeyEx
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtQueryValueKey
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtQueryValueKey
Start.exe (16932, 25084) - 21:08:25.873 ApiCall (U) Trace ntdll.dll!NtClose

But when I use LogAPI and pipe the information to my application I get:
Executing(26952): C:\Windows\regedit.exe

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000010000) [c:\windows\regedit.exe]

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000004000) [c:\windows\regedit.exe]

QuerySystemInformation(SystemBasicInformation) [c:\windows\regedit.exe]

QuerySystemInformation(SystemProcessorInformation) [c:\windows\regedit.exe]

QueryProcessInformation(\Device\HarddiskVolume10\Windows\regedit.exe, ProcessImageInformation) [c:\windows\regedit.exe]

CreateEvent(SBIE_BOXED_ServiceInitComplete_RpcSs) [c:\windows\regedit.exe]

CreateThread() [c:\windows\regedit.exe]

ResumeThread(27024) [c:\windows\regedit.exe]

OpenProcessToken(\Device\HarddiskVolume10\Windows\regedit.exe, TOKEN_QUERY, TOKEN_READ) [c:\windows\regedit.exe]

FindWindow(RegEdit_RegEdit, null) [c:\windows\regedit.exe]

CreateEvent(null) [c:\windows\regedit.exe]

GetModuleHandle(shell32.dll) [c:\windows\regedit.exe]

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000010000) [c:\windows\regedit.exe]

VirtualAllocEx(\Device\HarddiskVolume10\Windows\regedit.exe, MEM_COMMIT MEM_RESERVE MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE, RegionSize=0x0000000000004000) [c:\windows\regedit.exe]

I am fairly sure this must be a simple fix but I also figured any traces enabled in sandboxie plus that are outputted to the trace window will be piped also and not just the User calls. thank you for all your hard work! I look very much forward to hearing your reply as I am stuck at the moment.

Here is my config file:

Sandboxie configuration file

[GlobalSettings]
FileRootPath=C:\Users\Cobal\OneDrive\Desktop\Dynamic Extractor\Dynamic Extractor\bin\x64\Debug\Sandbox%SANDBOX%
Template=WindowsRasMan
Template=WindowsLive
Template=Edge_Fix
Template=OfficeLicensing
Template=NotepadPlusPlus_fix
Template=OfficeClickToRun
ApproveWinNtSysCall=SubscribeWnfStateChange
TraceLogging=y
DefaultBox=DefaultBox
KeyRootPath=\REGISTRY\USER\Sandbox_%USER%%SANDBOX%
IpcRootPath=\Sandbox%USER%%SANDBOX%\Session%SESSION%

[UserSettings_0C080202]
SbieCtrl_UserName=cobal
SbieCtrl_BoxExpandedView=DefaultBox
SbieCtrl_AutoStartAgent=SandMan.exe -autorun
SbieCtrl_WindowCoords=1226,164,498,299
SbieCtrl_ActiveView=40021
SbieCtrl_ProcessViewColumnWidths=250,70,300
SbieCtrl_NextUpdateCheck=1719589864
SbieCtrl_EnableAutoStart=n
SbieCtrl_HideMessage=y
BoxGrouping=:DefaultBox

[DefaultBox]
Enabled=y
BlockNetworkFiles=y
BorderColor=#00ffff,off,6
Template=OpenBluetooth
Template=SkipHook
Template=FileCopy
Template=qWave
Template=BlockPorts
Template=LingerPrograms
Template=AutoRecoverIgnore
ConfigLevel=10
ApiTrace=y
InjectDll=C:\Users\Cobal\OneDrive\Desktop\Dynamic Extractor\Extractor\bin\x64\Debug\Sandbox\logapi32.dll
InjectDll64=C:\Users\Cobal\OneDrive\Desktop\Dynamic Extractor\Dynamic Extractor\bin\x64\Debug\Sandbox\logapi64.dll
OpenPipePath=\Device\NamedPipe\LogAPI
OpenWinClass=TFormBSA
NotifyDirectDiskAccess=y
MsiInstallerExemptions=y
ProcessLimit1=20
ProcessLimit2=30
BoxNameTitle=-
CopyLimitKb=102400
PromptForFileMigration=n
CopyLimitSilent=y
ConfigLevel=8
ClosedFilePath=!,
ClosedFilePath=!
TraceNetworkAccess=y
FakeAdminRights=y
CoverBoxedWindows=y
RpcMgmtSetComTimeout=n
ClosedIpcPath=,*
OpenClipboard=n
LingerExemptWnds=n
LingerLeniency=n
ProcessGroup=,vmconnect.exe,securekernel.exe,memtest.exe
AutoDelete=y

[kokofixcomputers]

@DavidXanatos Please take a look :) Thanks

[DavidXanatos]

Well this has a very good reason, the system calls are not captured by LogAPI dll but by the sandboxie driver directly.
So what you want to do wont easily work, one could add additional hooks or syscall instrumentation to logapi but thats currently not have been implemented.

[ContegoCode]

ok noticed a release was just published which was 1.14.3 is it in the works to maybe have a CLI option to save all enabled trace output to log file?

[ContegoCode]

Ok so I could implement a communication port within the driver maybe? From: DavidXanatos ***@***.***> Sent: July 1, 2024 11:55 PM To: sandboxie-plus/LogApiDll ***@***.***> Cc: ContegoCode ***@***.***>; Author ***@***.***> Subject: Re: [sandboxie-plus/LogApiDll] Nt API calls in trace not piped? (Issue #2) Well this has a very good reason, the system calls are not captured by LogAPI dll but by the sandboxie driver directly. So what you want to do wont easily work, one could add additional hooks or syscall instrumentation to logapi but thats currently not have been implemented. — Reply to this email directly, view it on GitHub<#2 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKWKYRAEMDZFBUB7HV6W3LDZKI6DPAVCNFSM6AAAAABKGVPZ6SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBRHE4TOMRZG4>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[DavidXanatos]

This issue is also present in sandboxie when running applications in app compartment mode, there the syscalls are not routed through the driver, you can look at NTSTATUS InstallInstrumentationCallback() how to log syscals in user mode,
i added it recently in 1.13.x but it seams to sometimes cause crashes so i need to debug that a but more.

About log file, you can save it from the GUI, alternatively.

You could talk to the driver and receive the log instead of the GUI.

[ContegoCode]

I was hoping for there to be a way to get the Nt calls without the need for the sandboxie GUI or having to manually click on the save and instead have a automated way of either saving the output to log files for each process execution or somehow piping the Nt calls directly by using a communication port or some other process communication means. If this is not implemented yet should I look into the drivers callback area either preop or postop to set up something there? what would be your best opinion here?

[DavidXanatos]

If you can load SbieDll.dll in your project you can use its API to enable trace logging and receive events, see:
SbieApi_MonitorControl and SbieApi_MonitorGetEx
ideally you would need a not implemented SbieApi_MonitorGet2 but you can use SbieApi_Call instead

[ContegoCode]

ok so essentially if I understand you here if I import the SbieDll.dll into my project I can call on its functions or subs to get the Nt Trace data? sorry I am not familiar with a not implemented SbieApi_MonitorGet2, what or how can I use the SbieApi_Call? is the function and or sub names self explanatory and easy to use? I am coding using the .NET framework and not C or C++ for this particular project. I may need to Pinvoke?

[DavidXanatos]

Yes you will need P/Invoke, I never implemented SbieApi_MonitorGet2 as the old UI has only a very rudimentary trace log and the new UI does not use SbieDll.Dll instead a newly implemented Qt based API Library which for you is NOT Usefull as you surely don't ant the entire Qt framework as a dependency in your .NET project.
SbieApi_Call is a variable argument function, seams in .NET its a bit tricky to use one of those but possible: https://stackoverflow.com/questions/2124490/what-is-the-proper-pinvoke-signature-for-a-function-that-takes-var-args
And it takes the message ID as first argument, the parameter count as second and then the 0-7 arguments.
look at bool CSbieAPI::GetMonitor() in the new QSbieApi.dll source, it takes 2 arguments buffer length and pointer. And gives you a bunch of results all together to be split apart "manually" this offers a much better performance then retrieving the trace data one event at a time.
so in C it would be something like: SbieApi_Call(API_MONITOR_GET2, 2, pMyBuffer, &MyBufferSize) MyBufferSize must be an ULONG and contain the size of teh available buffer before the call, after the call it will contain the size of data returned.
A nice thing about theAPI_MONITOR_GET2 is that as part of the returned trace log entries you can obtain a full stack trace for each log entry if that was enabled in the INI before the logging was initialized.

[ContegoCode]

I have it almost working but SbieApi_Call does not seem to exist in the source code of QSbieApi.dll, I did find it in Start.cpp and other various places in the source, Importing QSbieApi.dll and calling SbieApi_Call also returns a entry point not found exception. API_MONITOR_GET2 seems to pertain to a undefined enum with a value of 305397832 is this the message ID? once I can correct these I believe the issue should be resolved. thank you for your hard work and help.

Here is the code I have so far:

Imports System
Imports System.Runtime.InteropServices
Imports System.Text

Module SbieApi
Private Const QSbieApiDll As String = "QSbieAPI.dll" '(Note) SbieDll.dll gets unreadable output
Private Const API_MONITOR_GET2 As Integer = 305397832

' Define the SbieApi_Call function with variable arguments using DllImport
<DllImport(QSbieApiDll, 
           CallingConvention:=CallingConvention.Cdecl, 
           CharSet:=CharSet.Ansi, 
           EntryPoint:="SbieApi_Call")>
Public Function SbieApi_Call(messageId As Integer,
                             paramCount As Integer,
                             buffer As IntPtr, 
                             ByRef bufferSize As ULong) As Integer
End Function

Public Delegate Sub TraceLogEventHandler(ByVal traceLog As String)
Public Event TraceLogReceived As TraceLogEventHandler
Public listening As Boolean = True

Public Sub ListenForTraces()
    Dim bufferSize As ULong = 1024 * 1024 ' 1 MB buffer size
    Dim buffer As IntPtr = Marshal.AllocHGlobal(CInt(bufferSize))

    Try
        While listening
            ' Call the SbieApi_Call function
            Dim result As Integer = SbieApi_Call(API_MONITOR_GET2, 2, buffer, bufferSize)

            If result = 0 Then
                ' Process the buffer
                Dim data(bufferSize - 1) As Byte
                Marshal.Copy(buffer, data, 0, CInt(bufferSize))

                ' Convert the byte array to string
                Dim traceLog As String = Encoding.UTF8.GetString(data)
                RaiseEvent TraceLogReceived(traceLog)
            Else
                ' Handle the error
                Console.WriteLine("Error retrieving trace log: " & result)
            End If
        End While
    Finally
        Marshal.FreeHGlobal(buffer)
    End Try
End Sub

End Module