Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf

Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf

The article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache....

Full description

Bibliographic Details
Main Author: S. G. Kovalev
Format: Article
Language:English
Published: Ivannikov Institute for System Programming of the Russian Academy of Sciences 2018-12-01
Series:Труды Института системного программирования РАН
Subjects:
вредоносная программа
динамический анализ
инъекция
drakvuf
virtual machine introspection
Online Access:https://ispranproceedings.elpub.ru/jour/article/view/1108
id doaj-e11b17acf362465b9624a380858fbde9
record_format Article
spelling doaj-e11b17acf362465b9624a380858fbde92020-11-25T01:15:37Zeng Ivannikov Institute for System Programming of the Russian Academy of SciencesТруды Института системного программирования РАН2079-81562220-64262018-12-013051091221107Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system DrakvufS. G. Kovalev0Positive TechnologiesThe article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache. The author of this article proposes a new approach to obtaining the content of files on Microsoft Windows family systems using Drakvuf. The proposed approach is based solely on the use of the public interface of the kernel by the hypervisor and provides portability between different versions of the operating system. In the conclusion of the article, the advantages and disadvantages of both approaches are presented, and directions for further work are proposed.https://ispranproceedings.elpub.ru/jour/article/view/1108вредоносная программадинамический анализинъекцияdrakvufvirtual machine introspection
collection DOAJ
language English
format Article
sources DOAJ
author S. G. Kovalev
spellingShingle S. G. Kovalev
Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf
Труды Института системного программирования РАН
вредоносная программа
динамический анализ
инъекция
drakvuf
virtual machine introspection
author_facet S. G. Kovalev
author_sort S. G. Kovalev
title Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf
title_short Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf
title_full Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf
title_fullStr Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf
title_full_unstemmed Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf
title_sort reading the contents of deleted and modified files in the virtualization based black-box binary analysis system drakvuf
publisher Ivannikov Institute for System Programming of the Russian Academy of Sciences
series Труды Института системного программирования РАН
issn 2079-8156
2220-6426
publishDate 2018-12-01
description The article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache. The author of this article proposes a new approach to obtaining the content of files on Microsoft Windows family systems using Drakvuf. The proposed approach is based solely on the use of the public interface of the kernel by the hypervisor and provides portability between different versions of the operating system. In the conclusion of the article, the advantages and disadvantages of both approaches are presented, and directions for further work are proposed.
topic вредоносная программа
динамический анализ
инъекция
drakvuf
virtual machine introspection
url https://ispranproceedings.elpub.ru/jour/article/view/1108
work_keys_str_mv AT sgkovalev readingthecontentsofdeletedandmodifiedfilesinthevirtualizationbasedblackboxbinaryanalysissystemdrakvuf
_version_ 1725152249480478720

Similar Items