DRAKVUF Sandbox – Black-box Binary Analysis System

Introduction

DRAKVUF™ is a virtualization based agentless black-box binary analysis system. DRAKVUF™ allows for in-depth execution tracing of arbitrary binaries (including operating systems), all without having to install any special software within the virtual machine used for analysis.

Hardware requirements

DRAKVUF™ uses hardware virtualization extensions found in Intel CPUs. You will need an Intel CPU with virtualization support (VT-x) and with Extended Page Tables (EPT). DRAKVUF™ is not going to work on any other CPUs (such as AMD) or on Intel CPUs without the required virtualization extensions.

Supported guests

DRAKVUF™ currently supports monitoring the following operating systems:

  • Windows 7-8, both 32-bit and 64-bit
  • Windows 10 64-bit
  • Linux 2.6.x – 5.x, both 32-bit and 64-bit

Malware analysis

DRAKVUF™ provides a perfect platform for stealthy malware analysis as its footprint is nearly undectebable from the malware’s perspective. While DRAKVUF has been mainly developed with malware analysis in mind, it is certainly not limited to that task as it can be used to monitor the execution of arbitrary binaries.

Basic installation

This instruction assumes that you want to create a single-node installation with the default components, which is recommended for beginners.

  1. Download latest release packages.
  2. Install DRAKVUF:
sudo apt updatesudo apt install ./drakvuf-bundle*.debsudo reboot
  1. Install DRAKVUF Sandbox stack:
sudo apt install redis-serversudo apt install ./drakcore*.debsudo apt install ./drakrun*.deb
  1. Execute:
sudo draksetup install --iso /opt/path_to_windows.iso

carefully read the command’s output. This command would run a Virtual Machine with Windows system installation process.

Unattended installation: If you have autounattend.xml matching your Windows ISO, you can request unattended installation by adding --unattended-xml /path/to/autounattend.xml. Unattended install configuration could be generated with Windows Answer File Generator.

Storage backend: By default, DRAKVUF Sandbox is storing virtual machine’s HDD in a qcow2 file. If you want to use ZFS instead, please check the “Optional features” section below.

  1. Use VNC to connect to the installation process:
vncviewer localhost:5900
  1. Perform Windows installation until you are booted to the desktop.
  2. Execute:
sudo draksetup postinstall

Note: Add --no-report if you don’t want draksetup to send basic usage report.

  1. Test your installation by navigating to the web interface ( http://localhost:6300/ ) and uploading some samples. The default analysis time is 10 minutes.

References:

  1. https://github.com/CERT-Polska/drakvuf-sandbox
  2. https://github.com/tklengyel/drakvuf
  3. https://drakvuf.com/

Leave comment

Your email address will not be published. Required fields are marked with *.