Research project

Discussions related to using the OSE version of VirtualBox.
Post Reply
SamASR
Posts: 14
Joined: 19. Mar 2019, 22:34

Research project

Post by SamASR »

Hi community!
I wonder, if there are any projects like DECAF, Panda, DRAKVUF based not on Qemu, but on VirtualBox ?
I myself could only find one - HyBIS "Windows Guest Protection through Advanced Memory Introspection", but it is not publicly available.

What functions I would like to see(or maybe implement):
1)API tracer (syscall interception, IDT hooking)
2)Memory Introspection (with Rekall forensic framework)
3)Instruction tracer

Has anyone tried doing this functions in VirtualBox OSE ?
I started analysing VMM(R3, R0, All) sections of code to implement api tracer - especially three functions "emR3RawExecute, emR3HmExecute, emR3RemExecute" in VMM\VMMR3\EM.cpp;
The main idea is to rewrite the EIP of syscall to an illegal value, so when call is attempted - page fault occurs with VMEXIT - to gain control in handler and log everything needed...
Am I doing everything right or there are ways easier to intercept syscall ?
Post Reply