Scan tool to determine a program's behaviors?

[Coldblackice]

Anyone know of any scanner-type tools that can look at a program (on disk or running in memory) and report what type of base behaviors/abilities it's able to employ?



For example, reporting that an .exe has the ability and is set up for reading/writing to the registry, or that it's set up for network access (and to access X/Y/Z IP's), or that it can modify files on disk, or that it's able and likely to autostart itself with Windows via X/Y/Z path, etc.

So, basically a sandbox-type program like Sandboxie, but which leans more in the scanner-type direction of actively dissecting and reporting what a program can/may/will do?

Currently, I use a Windows explorer shell extension that is able to submit file hashes to VirusTotal for analysis with two clicks of the mouse -- giving an overview of the file according to many different companies' scanners. But it'd be great to have a tool that can scan and look at the behavior of a program to see what it can/may do, and particularly, behaviors that are red flags, like autostarting itself, modifying certain areas or keys of the registry, attempting to access anything on disk other than its own folder, etc.

 

[Coldblackice]

I just found *exactly* what I've been looking for --

"Buster Sandbox Analyzer" (http://bsa.isoftware.nl/)

It's a third-party addon to Sandboxie that watches/monitors a sandboxed program's behavior, monitoring key indicators like what and where it's modifying on disk, registry, network, ports, etc.

Unfortunately, it appears to have been discontinued with Sandboxie 4.0+, which is a major bite :/ Fingers crossed someone eventually continues carrying the torch on this fantastic addon, in one form or another.

 

[hawk82]

http://technet.microsoft.com/en-us/sysinternals/bb896653
Process Explorer sysinternals tool from Microsoft. You can submit a process to virustotal in the latest version of Process Explorer.

http://technet.microsoft.com/en-us/sysinternals/bb896645
Process Monitor goes a bit more in depth.

Both tools are free. Give them a shot.

 

[Coldblackice]

http://technet.microsoft.com/en-us/sysinternals/bb896653
Process Explorer sysinternals tool from Microsoft. You can submit a process to virustotal in the latest version of Process Explorer.

http://technet.microsoft.com/en-us/sysinternals/bb896645
Process Monitor goes a bit more in depth.

Both tools are free. Give them a shot.

I use both. Unfortunately, they're limited in the sense that they're not done within a sandbox subset (short of running in a VM), which is a necessity when doing malware analysis.

Thanks for the rec's, though.

 

[Blackjack]

Mandiant Redline may be able to do some of what you're asking but the application will need to be running in memory for Redline to analyze it. SOP for malware analysis spooling up a VM and running analysis within that disposable, isolated environment. The only other thing you can do is try to decompile the executable and see if you can glean any information from the resulting source code.