DRAKVUF Sandbox – Black-box Binary Analysis System
DRAKVUF™ is a virtualization based agentless black-box binary analysis system. DRAKVUF™ allows for in-depth execution tracing of arbitrary binaries (including operating systems), all without having to install any special software within the virtual machine used for analysis.
DRAKVUF™ uses hardware virtualization extensions found in Intel CPUs. You will need an Intel CPU with virtualization support (VT-x) and with Extended Page Tables (EPT). DRAKVUF™ is not going to work on any other CPUs (such as AMD) or on Intel CPUs without the required virtualization extensions.
DRAKVUF™ currently supports monitoring the following operating systems:
- Windows 7-8, both 32-bit and 64-bit
- Windows 10 64-bit
- Linux 2.6.x – 5.x, both 32-bit and 64-bit
DRAKVUF™ provides a perfect platform for stealthy malware analysis as its footprint is nearly undectebable from the malware’s perspective. While DRAKVUF has been mainly developed with malware analysis in mind, it is certainly not limited to that task as it can be used to monitor the execution of arbitrary binaries.
This instruction assumes that you want to create a single-node installation with the default components, which is recommended for beginners.
- Download latest release packages.
- Install DRAKVUF:
sudo apt updatesudo apt install ./drakvuf-bundle*.debsudo reboot
- Install DRAKVUF Sandbox stack:
sudo apt install redis-serversudo apt install ./drakcore*.debsudo apt install ./drakrun*.deb
sudo draksetup install --iso /opt/path_to_windows.iso
carefully read the command’s output. This command would run a Virtual Machine with Windows system installation process.
Unattended installation: If you have
autounattend.xmlmatching your Windows ISO, you can request unattended installation by adding
--unattended-xml /path/to/autounattend.xml. Unattended install configuration could be generated with Windows Answer File Generator.
Storage backend: By default, DRAKVUF Sandbox is storing virtual machine’s HDD in a
qcow2 file. If you want to use ZFS instead, please check the “Optional features” section below.
- Use VNC to connect to the installation process:
- Perform Windows installation until you are booted to the desktop.
sudo draksetup postinstall
--no-report if you don’t want
draksetup to send basic usage report.
- Test your installation by navigating to the web interface ( http://localhost:6300/ ) and uploading some samples. The default analysis time is 10 minutes.