May 7, 2018
0

DRAKVUF: Black-box Binary Analysis

Category : Blog

DRAKVUF

DRAKVUF consists of several plugins, each collecting different aspects of the guests’ execution, like logging system calls or tracking kernel heap allocations.

It is a virtualization based agentless black-box binary analysis system. DRAKVUF allows for in-depth execution tracing of arbitrary binaries (including operating systems), all without having to install any special software within the virtual machine used for analysis.

Hardware requirements for DRAKVUF

DRAKVUF uses hardware virtualization extensions found in Intel CPUs. You will need an Intel CPU with virtualization support (VT-x) and with Extended Page Tables (EPT). DRAKVUF is not going to work on any other CPUs (such as AMD) or on Intel CPUs without the required virtualization extensions.

Currently available plugins for DRAKVUF:

syscalls
poolmon
objmon
exmon
filetracer
filedelete
ssdtmon
socketmon

syscalls

The syscalls plugin is responsible for tracking the execution of function-entry-points responsible to handling system calls on Windows and Linux. The function accomplishes this by looping through the Rekall-profile and using a BREAKPOINT trap on each function whose name starts with Nt on Windows and sys_ on Linux.

Poolmon

The poolmon plugin tracks calls to the ExAllocatePoolWithTag function, which is responsible for allocating objects on the kernel heap in Windows.

The prototype of this function is defined as follows (form MSDN https://msdn.microsoft.com/en-us/library/windows/hardware/ff544520%28v=vs.85%29.aspx):

Objmon

The objmon plugin monitors the execution of ObCreateObject. This function is also called when creating common objects in Windows. The ObjectType input defines an index into the Windows 7 type array, currently defining 42 objects.

Exmon

The exmon plugin monitors the execution of KiDispatchException, which is the Windows exception handler function when an exception occurs in either user- or kernel-space. The plugin extracts the information from the TrapFrame input containing the CPU state when the exception occured.

The ReactOS definition of this function is as follows (from http://doxygen.reactos.org/d7/d7f/ntoskrnl_2ke_2amd64_2except_8c_a660d1a46ff201c5861caf9667937f73f.html):

filetracer

The filetracer plugin monitors the use of _FILE_OBJECT structures by system-calls as well as internal kernel functions used by kernel drivers. With this approach we get a complete view of files being accessed on the system.

Filedelete

The filedelete plugin monitors the execution of NtSetInformationFile and ZwSetInformationFile, which are functions responsible for deleting files (there are some others too, such as NtDeleteFile). When the function is called and the fifth input of the function is FILE_DISPOSITION_INFORMATION (13) the file path is determined by walking the handle table of the process via the DRAKVUF function drakvuf_get_obj_by_handle. Once the address is known, it be extracting using the Volatility plugin dumpfiles.

SSDTmon

The SSDTmon plugin monitors write-memory accesses to the System Service Descriptor Table used to store pointers to the system call handling functions. If malware hooks this table and redirects system calls, the syscalls plugin is affected as the original function(s) may no longer get called where it originally trapped. If this plugin detects a change, one must assume that the syscall plugin output is no longer complete.

Socketmon

The socketmon plugin monitors the usage of TCP and UPD sockets for Windows guests. It requires the creation of a Rekall profile for the tcpip.sys kernel module, which is normally located at C:\Windows\System32\drivers\tcpip.sys. You will need to copy this file to where you will be generating the Rekall profile at. To generate a Rekall profile for it you can use the pdbparse project to obtain the PDB:

Supported guests:

Windows 7 – 8, both 32 and 64-bit
Windows 10 64-bit
Linux 2.6.x – 4.x, both 32-bit and 64-bit

Malware analysis:

DRAKVUF provides a perfect platform for stealthy malware analysis as its footprint is nearly undetectable from the malware’s perspective. While DRAKVUF has been mainly developed with malware analysis in mind, it is certainly not limited to that task as it can be used to monitor the execution of arbitrary binaries.