How Windows 1903 makes malware analysis easier — introducing Windows Sandbox

Microsoft just released Windows 1903 which includes a new operating system feature called Windows Sandbox. Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation, making it ideal for malware analysis.

Windows Sandbox is built on the same technologies that power Windows Containers making it more suitable to run on laptops without requiring the full power of Windows Server and/or a full VM. Here’s a first look into Windows Sandbox.

Windows Sandbox

Hari Pulapaka first introduced the concept of Windows Sandbox in previous Windows Insider builds in late December last year.

At its core Windows Sandbox is a lightweight virtual machine, so it needs an operating system image to boot from. One of the key enhancements Microsoft made for Windows Sandbox is the ability to use a copy of the Windows 10 installed on your computer, instead of downloading a new VHD image as you would have to do with an ordinary virtual machine.

Sandbox always presents a clean environment, but the challenge is that some operating system files can change. Microsoft’s solution is to construct what they refer to as “dynamic base image”: an operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host. The majority of the files are links (immutable files) and that’s why the small size (~100MB) for a full operating system. Microsoft calls this instance the “base image” for Windows Sandbox, using Windows Container parlance.

Windows Sandbox uses Microsoft’s hypervisor. It is essentially running another copy of Windows which needs to be booted and this can take some time. So rather than paying the full cost of booting the sandbox operating system every time you start Windows Sandbox, Microsoft uses two other technologies; “snapshot” and “clone.”

Snapshot allows to boot the sandbox environment once and preserve the memory, CPU, and device state to disk. Then it can restore the sandbox environment from disk and put it in the memory rather than booting it, when you need a new instance of Windows Sandbox. This significantly improves the start time of Windows Sandbox.

PRO TIP: Windows Sandbox is also aware of the host’s battery state, which allows it to optimize power consumption. This is great for using it on laptops.

Enabling Sandbox in Windows

Windows Sandbox is built-in starting with build 1903 of Windows. You need to have either the Pro or Enterprise edition to enable it. Here are the high level steps to enable the feature:

  • Open Settings, go to Add or Remove Windows Features

· Select Windows Sandbox

  • Restart
  • Windows Sandbox will be in your Start Menu

As a minimum your device requires the AMD64 architecture, virtualization capabilities enabled in BIOS, at least 4GB of RAM, at least 1 GB of free disk space and at least 2 CPU cores.

PRO TIP: If you are using a virtual machine, enable nested virtualization with this PowerShell cmdlet: Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true

Customizing your Sandbox environment

It is possible to customize certain aspects of your Windows Sandbox environment. For instance, automatically launch a script at startup, map certain folders from the host into the Sandbox, etc. Currently these four aspects can be customized:

  • Enable or disable the virtualized GPU.
  • Enable or disable networking in the sandbox.
  • Share folders from the host.
  • Run a startup script or program.

To achieve this, Windows Sandbox uses so called Sandbox Config files. These have a file extension of .WSB are XML-based. Here’s an example:

<Configuration>
<VGpu>Disable</VGpu>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Condicio\Downloads</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>

Disabling or enabling the GPU and/or network is straightforward as you can see in the example. For Shared Folders you need to specify a folder that you want to share with the host system, e.g. C:\MALWARE, and whether you want it to be read-only or support write operations as well. Setting TRUE in the ReadOnly value makes it read-only, and FALSE enables read and write support.

<MappedFolder>
<HostFolder>path to the host folder</HostFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>
PRO TIP: Note that folders are always mapped under the path C:\Users\WDAGUtilityAccount\Desktop in your Windows Sandbox.

For the Command at Logon you may specify a file name and path or a script. The command EXPLORER.EXE would work, as would reference to a script, for instance: C:\Users\WDAGUtilityAccount\Desktop\MappedFolder\start.cmd.

<LogonCommand>
<Command>The command</Command>
</LogonCommand>

Save the file as SOMETHING.WSB and launch it whenever you want to run the Sandbox with this configuration. Thanks to Martin Brinkmann for this tip!

Analyzing Malware in Windows Sandbox

How do we get our malware samples in Windows Sandbox? While you can’t drag and drop files onto Windows Sandbox, the operating system actually allows you to copy & paste files into it. And as we saw above, you could also use a mapped folder to achieve this. And if you’ve enabled networking, you could also use regular applications such as Microsoft Edge to download files from any of your favorite malware analysis sites.

I’ve you’ve never worked with Malware before then head over to Palo Alto’s website to grab a sample file in the format you’d like to work with. Then check out Kris Kendall and Chad McMillan’s slide deck from BlackHat to get some first pointers on how to start off your malware analysis process, and what tools you could consider.

  • Here’s PEiD in Windows Sandbox:
  • Here’s OLLYDBG in Windows Sandbox:
  • Here’s STRINGS in Windows Sandbox:
PRO TIP: You can find the Sysinternals tools ready for use at http://live.sysinternals.com

To copy your findings back to your host machine, you could use the mapped Host Folder (enable it for Read/Write) or just Copy & Paste it back from the Sandbox window to your host.

Or just use OneNote online from your browser:

Conclusion

Windows Sandbox is great for malware analysis. It’s part of Windows — everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD.

It’s pristine — every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows. It’s disposable — nothing persists on the device; everything is discarded after you close the application.

And it’s secure — uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host.

— Maarten Goet, MVP & RD