Research project

Discussions related to using the OSE version of VirtualBox.

Research project

Postby SamASR » 23. Mar 2019, 13:37

Hi community!
I wonder, if there are any projects like DECAF, Panda, DRAKVUF based not on Qemu, but on VirtualBox ?
I myself could only find one - HyBIS "Windows Guest Protection through Advanced Memory Introspection", but it is not publicly available.

What functions I would like to see(or maybe implement):
1)API tracer (syscall interception, IDT hooking)
2)Memory Introspection (with Rekall forensic framework)
3)Instruction tracer

Has anyone tried doing this functions in VirtualBox OSE ?
I started analysing VMM(R3, R0, All) sections of code to implement api tracer - especially three functions "emR3RawExecute, emR3HmExecute, emR3RemExecute" in VMM\VMMR3\EM.cpp;
The main idea is to rewrite the EIP of syscall to an illegal value, so when call is attempted - page fault occurs with VMEXIT - to gain control in handler and log everything needed...
Am I doing everything right or there are ways easier to intercept syscall ?
SamASR
 
Posts: 14
Joined: 19. Mar 2019, 22:34

Return to VirtualBox OSE

Who is online

Users browsing this forum: No registered users and 2 guests