Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf

The article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache. The author of this article proposes a new approach to obtaining the content of files on Microsoft Windows family systems using Drakvuf. The proposed approach is based solely on the use of the public interface of the kernel by the hypervisor and provides portability between different versions of the operating system. In the conclusion of the article, the advantages and disadvantages of both approaches are presented, and directions for further work are proposed.

malware, dynamic analysis, injection, Drakvuf, Virtual Machine Introspection

1. The Independent IT-Security Institute. Malware. Available at: https://www.av-test.org/en/statistics/malware/, accessed 17.11.2018.

2. Asrigo K., Litty L., Lie D. Using VMM-Based Sensors to Monitor Honeypots. Department of Electrical and Computer Engineering University of Toronto, 2006. Available at: https://security.csl.toronto.edu/papers/asrigo-vee2006.pdf, accessed 17.11.2018.

3. Rangian M.K., Attri U. Design and Implementation of Malware Collection System Based on Client Honeypot. International Journal of Scientific & Engineering Research, vol. 4, issue 3, 2013, pp. 775-780.

4. Cuckoo Sandbox. Available at: https://cuckoosandbox.org/, accessed 17.11.2018.

5. Willems C., Holz T., Freiling F. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security & Privacy, vol. 5, issue 2, 2007, pp. 32-39.

6. Malware Anti-Analysis Techniques and Ways to Bypass Them. Available at: https://resources.infosecinstitute.com/malware-anti-analysis-techniques-ways-bypass/, accessed 02.05.2017.

7. Garfinkel T., Rosenblum M. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Computer Science Department, Stanford University, 2003. Available at: https://suif.stanford.edu/papers/vmi-ndss03.pdf, accessed 17.11.2018.

8. Kaspersky Lab. Malware Classification (in Russian). Available at: https://www.kaspersky.ru/blog/klassifikaciya-vredonosnyx-programm/2200/, accessed 17.11.2018.

9. Symantec Corporation. What Is Ransomware? Available at: https://us.norton.com/internetsecurity-malware-ransomware.html, accessed 17.11.2018.

10. Drakvuf. Available at: https://drakvuf.com/, accessed 17.11.2018.

11. Lengyel T.K. Malware Collection and Analysis via Hardware Virtualization. University of Connecticut, 2015. Available at: https://tklengyel.com/thesis.pdf, accessed 17.11.2018.

12. Xen Project. Available at: https://xenproject.org/, accessed 17.11.2018.

13. LibVMI. Available at: http://libvmi.com/, accessed 17.11.2018.

14. Rekall Forensics. Available at: http://www.rekall-forensic.com/, accessed 17.11.2018.

15. QEMU. Available at: https://www.qemu.org/, accessed 17.11.2018.

16. Rekall Profiles. Available at: http://blog.rekall-forensic.com/2014/02/rekall-profiles.html, accessed 17.11.2018.

17. Russinovich M., Solomon D., Ionescu A. Microsoft Windows Internal Design. The Main OS Subsystems, 6th ed. (in Russian). Saint Petersburg, Piter, 2014, 672 p.

18. Richter J., Nazar C. Windows via C/C++. Visual C++ Programming (in Russian). Saint Petersburg, Piter, 2009, 896 p.

19. Building C/C++ Programs. Available at: https://docs.microsoft.com/en-us/cpp/build/building-c-cpp-programs?view=vs-2017, accessed 17.11.2018.

20. Specifying Device Types. Available at: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/specifying-device-types, accessed 17.11.2018.