Research project
Posted: 23. Mar 2019, 13:37
Hi community!
I wonder, if there are any projects like DECAF, Panda, DRAKVUF based not on Qemu, but on VirtualBox ?
I myself could only find one - HyBIS "Windows Guest Protection through Advanced Memory Introspection", but it is not publicly available.
What functions I would like to see(or maybe implement):
1)API tracer (syscall interception, IDT hooking)
2)Memory Introspection (with Rekall forensic framework)
3)Instruction tracer
Has anyone tried doing this functions in VirtualBox OSE ?
I started analysing VMM(R3, R0, All) sections of code to implement api tracer - especially three functions "emR3RawExecute, emR3HmExecute, emR3RemExecute" in VMM\VMMR3\EM.cpp;
The main idea is to rewrite the EIP of syscall to an illegal value, so when call is attempted - page fault occurs with VMEXIT - to gain control in handler and log everything needed...
Am I doing everything right or there are ways easier to intercept syscall ?
I wonder, if there are any projects like DECAF, Panda, DRAKVUF based not on Qemu, but on VirtualBox ?
I myself could only find one - HyBIS "Windows Guest Protection through Advanced Memory Introspection", but it is not publicly available.
What functions I would like to see(or maybe implement):
1)API tracer (syscall interception, IDT hooking)
2)Memory Introspection (with Rekall forensic framework)
3)Instruction tracer
Has anyone tried doing this functions in VirtualBox OSE ?
I started analysing VMM(R3, R0, All) sections of code to implement api tracer - especially three functions "emR3RawExecute, emR3HmExecute, emR3RemExecute" in VMM\VMMR3\EM.cpp;
The main idea is to rewrite the EIP of syscall to an illegal value, so when call is attempted - page fault occurs with VMEXIT - to gain control in handler and log everything needed...
Am I doing everything right or there are ways easier to intercept syscall ?