DRAKVUF: Black-box Binary Analysis



DRAKVUF consists of several plugins, each collecting different aspects of the guests’ execution, like logging system calls or tracking kernel heap allocations.

It is a virtualization based agentless black-box binary analysis system. DRAKVUF allows for in-depth execution tracing of arbitrary binaries (including operating systems), all without having to install any special software within the virtual machine used for analysis.



Hardware requirements for DRAKVUF

DRAKVUF uses hardware virtualization extensions found in Intel CPUs. You will need an Intel CPU with virtualization support (VT-x) and with Extended Page Tables (EPT). DRAKVUF is not going to work on any other CPUs (such as AMD) or on Intel CPUs without the required virtualization extensions.




Currently available plugins for DRAKVUF:

  • syscalls
  • poolmon
  • objmon
  • exmon
  • filetracer
  • filedelete
  • ssdtmon
  • socketmon


The syscalls plugin is responsible for tracking the execution of function-entry-points responsible to handling system calls on Windows and Linux. The function accomplishes this by looping through the Rekall-profile and using a BREAKPOINT trap on each function whose name starts with Nt on Windows and sys_ on Linux.




The poolmon plugin tracks calls to the ExAllocatePoolWithTag function, which is responsible for allocating objects on the kernel heap in Windows.

The prototype of this function is defined as follows (form MSDN https://msdn.microsoft.com/en-us/library/windows/hardware/ff544520%28v=vs.85%29.aspx):




The objmon plugin monitors the execution of ObCreateObject. This function is also called when creating common objects in Windows. The ObjectType input defines an index into the Windows 7 type array, currently defining 42 objects.





The exmon plugin monitors the execution of KiDispatchException, which is the Windows exception handler function when an exception occurs in either user- or kernel-space. The plugin extracts the information from the TrapFrame input containing the CPU state when the exception occured.

The ReactOS definition of this function is as follows (from http://doxygen.reactos.org/d7/d7f/ntoskrnl_2ke_2amd64_2except_8c_a660d1a46ff201c5861caf9667937f73f.html):




The filetracer plugin monitors the use of _FILE_OBJECT structures by system-calls as well as internal kernel functions used by kernel drivers. With this approach we get a complete view of files being accessed on the system.





The filedelete plugin monitors the execution of NtSetInformationFile and ZwSetInformationFile, which are functions responsible for deleting files (there are some others too, such as NtDeleteFile). When the function is called and the fifth input of the function is FILE_DISPOSITION_INFORMATION (13) the file path is determined by walking the handle table of the process via the DRAKVUF function drakvuf_get_obj_by_handle. Once the address is known, it be extracting using the Volatility plugin dumpfiles.





The SSDTmon plugin monitors write-memory accesses to the System Service Descriptor Table used to store pointers to the system call handling functions. If malware hooks this table and redirects system calls, the syscalls plugin is affected as the original function(s) may no longer get called where it originally trapped. If this plugin detects a change, one must assume that the syscall plugin output is no longer complete.





The socketmon plugin monitors the usage of TCP and UPD sockets for Windows guests. It requires the creation of a Rekall profile for the tcpip.sys kernel module, which is normally located at C:\Windows\System32\drivers\tcpip.sys. You will need to copy this file to where you will be generating the Rekall profile at. To generate a Rekall profile for it you can use the pdbparse project to obtain the PDB:




Supported guests:

  • Windows 7 – 8, both 32 and 64-bit
  • Windows 10 64-bit
  • Linux 2.6.x – 4.x, both 32-bit and 64-bit




Malware analysis:

DRAKVUF provides a perfect platform for stealthy malware analysis as its footprint is nearly undetectable from the malware’s perspective. While DRAKVUF has been mainly developed with malware analysis in mind, it is certainly not limited to that task as it can be used to monitor the execution of arbitrary binaries.

Malware analysis




Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

CCNA Training in Bangalore

Certified Ethical Hacker Certification – C | EH v10

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Python Programming training

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses:





Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you