Windows builtin Sandbox for Reverse Engineering

[jhelb1993]

For Reversing Malware, CTF's, or any other file i don't trust, i created a sandbox configuration (.wsb), you can use the Windows Sandbox (For Windows 11 Pro users and better, not for the Home Edition) like a VM, but on exit, it looses all data. Well, i found a way so that i don't have to install Binary Ninja or update the license everytime i start the sandbox.

1. Enable Sandbox in the Windows Features, then reboot
2. Install Binary Ninja on Hostcomputer and run it without activating your license
3. Create a .wsb file and replace YOUR_USERNAME with yours, check in windows explorer how your folder is called:

<Configuration>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Program Files\Vector35\BinaryNinja</HostFolder>
      <SandboxFolder>C:\Program Files\Vector35\BinaryNinja</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>

    <MappedFolder>
      <HostFolder>C:\Users\YOUR_USERNAME\AppData\Roaming\Binary Ninja</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\AppData\Roaming\Binary Ninja</SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>

  </MappedFolders>

  <Networking>Enable</Networking>
</Configuration>

Start this wsb file, start binary ninja, register your license, and close the sandbox.

Now, we want start Binary Ninja automatically with the Sandbox, and disable write access to C:\Users\WDAGUtilityAccount\AppData\Roaming\Binary Ninja

<Configuration>
  <MappedFolders>

    <MappedFolder>
      <HostFolder>C:\Program Files\Vector35\BinaryNinja</HostFolder>
      <SandboxFolder>C:\Program Files\Vector35\BinaryNinja</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>

    <MappedFolder>
      <HostFolder>C:\Users\YOUR_USERNAME\AppData\Roaming\Binary Ninja</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\AppData\Roaming\Binary Ninja</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>

  </MappedFolders>

  <LogonCommand>
      <Command>cmd /c timeout /t 2 &amp; "C:\Program Files\Vector35\BinaryNinja\binaryninja.exe"</Command>
  </LogonCommand>

  <Networking>Enable</Networking>
</Configuration>

Depending on the situation, you can also adjust this configuration to remove the network connection:

  <Networking>Disable</Networking>

You might need to copy some DLL files from C:\Windows\System32 into the BinaryNinja installation folder! You'll get a message saying that DLL files are missing.

For use Binary Ninja on the Hostmachine and in the Sandbox, just rename the

C:\Users\YOUR_USERNAMEl\AppData\Roaming\Binary Ninja
to
C:\Users\YOUR_USERNAMEl\AppData\Roaming\Binary Ninja Sandbox

and update the .wsb file:

<HostFolder>C:\Users\YOUR_USERNAMEl\AppData\Roaming\Binary Ninja Sandbox</HostFolder>

Hope it's useful for someone!

Cheers!

Screenshot: