Execute a file in sandboxed environment and track it

Question

I have a file that could possibly be a virus. I'd like to execute the file in some form of a sandboxed environment and trace what files it tries to modify or basically anything that it is trying to do. What software tools and knowledge do I need to do this?

My system is windows 7.

Answer 1

You could setup a virtual machine with Microsoft Virtual PC or VMWare workstation/player.
That should prevent any harm to your machine / system.

To see the actions of the virus you could monitor your registry/filesystem changes and network activity. These applications are easy to find with Google: sysinternals has a few free ones.

Answer 2

I'll try and see this in a programming context as reverse engineering. Here's some things you could do:

• Get an idea of what APIs it'll call using depends.exe from the Microsoft SDK. You'll also be able to see what symbols it refers to.
• use procexp.exe / tcpview.exe / filemon.exe / regmon from http://www.sysinternals.com to see the activity of the process at runtime.
• Execute it with the WinDbg debugger from Microsoft to find out what's going on, also.

You could, of course, go further. As Zyphrax suggests in his answer, you are best doing this inside some form of virtual machine on the assumption that the code is dangerous.

Answer 3

A few options that provide "a sandboxed" environment. (That was the question right? Not if you could run it in a VM).

• zerowine (free)
• cwsandbox
• Norman Sandbox