Hi. I would like to ask does Drakvuf monitor reading, writing and deleting in Windows Registry?
I find syscall-NtGetMUIRegistryInfo and poolmon-Registry query buffer in my log file. Does Drakvuf monitors where (/HKEY..., I mean) the reading, writing and deleting happened in Windows Registry?

As you told to place the executable on the disk somewhere in the VM and use the -i and -e options to make DRAKVUF start it for you.

1. can you please tell the exact command to take trace of malware program.
   My file name is 'sam' (malware file)

I am running command ./src/drakvuf -r /root/windows7-sp1.rekall.json -d 7 | grep sam
where should i place -e or -i in this command or what is the correct command?

1. After getting whole system trace using drakuf, i have to destroy and create new image everytime.

Please help in this issue

Hi Tamas,
I don't see clearly what's the usual network topology used with Drakvuf but according to the clone.pl script I assume the DomUs are behind a virtual network with a VLAN for each clone with Openvswitch, I wonder how the clones can access Internet having the same MAC address, I see how you set a different clone IP address thanks to the preconfig.sh script but I don't have a clue on what network interfaces are shared between Dom0 and the DomUs or even who is doing NAT (MAC NAT?).

How are ebtables, iptables and Openvswitch mixed altogether to accomplish this task?
Is your Xen networking script different to the "vif-openvswitch" originally included in Xen?
Can you elaborate on this?

Many thanks in advance,

Robert

I recently encountered several crashes at the hypervisor level by foolishly executing the following steps:

• Attach DRAKVUF to Guest
• Reboot guest (manually or due to a crash)
• Exit DRAKVUF with ^C

Unfortunately the most recent crash resulted in some kind of FS corruption so I can't attach more logs or do retests right now. Also I'm running a custom fork of DRAKVUF but I don't think my changes cause the problem (although I can't rule this out).

My guess is that things go wrong when DRAKVUF handles SIGINT, because everything seem to work normal until the signal is sent: Guest is rebooting/running, DRAKVUF is logging, although a lot of "Write memaccess" messages appear.

My main question is if there is a way to properly stop DRAKVUF in case a Guest reboot happens?

When I run the ./dravuf cmd to monitor the execution of the guest vm, the vm's cpu cost sharply increase and keep running at 100%. After inspect the task manager, I found the major cost is caused by taskmgr.exe itself. So was it because dravuf runs default to inject taskmgr and how can I reduce the impact on vm's running?

I think the FILEDELETE plugin misses a dereference when parsing the KPCR in order to find the EPROCESS structure.

At https://github.com/tklengyel/drakvuf/blob/master/src/plugins/filedelete/filedelete.c#L204 :

    vmi_read_addr_va(vmi, fsgs + offsets[KPCR_PRCB] + offsets[KPRCB_CURRENTTHREAD],
                     0, &thread);

As you can see on the following KD output (Win7 32-bit), the KPCR_PRCB offset is a pointer not a substructure:

kd> dt _KPCR 0x82941c00
ntdll!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x000 Used_ExceptionList : 0x8ad8653c _EXCEPTION_REGISTRATION_RECORD
   +0x004 Used_StackBase   : (null) 
   +0x008 Spare2           : (null) 
   +0x00c TssCopy          : 0x801db000 Void
   +0x010 ContextSwitches  : 0x6a6d4
   +0x014 SetMemberCopy    : 1
   +0x018 Used_Self        : 0x7ffdf000 Void
   +0x01c SelfPcr          : 0x82941c00 _KPCR
   +0x020 Prcb             : 0x82941d20 _KPRCB
   +0x024 Irql             : 0x1f ''
...

kd> dt _EPROCESS poi(poi(poi(0x82941c00+0x20)+4)+0x150)
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER 0x01d13401`f7ad4a81
   +0x0a8 ExitTime         : _LARGE_INTEGER 0x0
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : 0x00000e14 Void

I noticed this while studying the code but couldn't specifically test it yet, although I remember Volatility failing on null pointers during previous (unrelated) tests.

I tried to compile the latest master, but make fails with the following error (multiple occasions):

injector.c:781:9: error: too many arguments to function 'vmi_clear_event'
         vmi_clear_event(vmi, event, NULL);

(Edit: this is injector.c in libdrakvuf)

The corresponding API is defined like this in my /usr/local/include/libvmi/events.h:

status_t vmi_clear_event(
    vmi_instance_t vmi,
    vmi_event_t *event);

I looked at the history but couldn't find any relevant changes that would cause this. What am I missing?

Edit:
Now I see that the change was introduced with the altp2m merge but it's still unclear how this should work

When I inject any process blue screen error appear on VM and shutdown. When I try to use dynamic malware analysis, result are pasted below. Your help will be appreciated.

robot@robot:~/drakvuf/src$ sudo ./drakvuf -r win7.json -d 3

DRAKVUF v0.2

[SYSCALL] ntoskrnl.exe!NtReleaseWorkerFactoryWorker

[SYSCALL] ntoskrnl.exe!NtWaitForMultipleObjects

[SYSCALL] ntoskrnl.exe!NtReleaseWorkerFactoryWorker

[POOLMON] Io (type: NonPagedPoolExecute, size: 32): nt!io,general IO allocations

[SYSCALL] ntoskrnl.exe!NtSetTimer

[POOLMON] NDwi (type: unknown_pool_type, size: 40): ndis.sys,NDIS_TAG_WORK_ITEM

[SYSCALL] ntoskrnl.exe!NtWaitForWorkViaWorkerFactory

[POOLMON] IoUs (type: unknown_pool_type, size: 16): nt!io,I/O SubSystem completion Context Allocation

[SYSCALL] ntoskrnl.exe!NtCallbackReturn

[SYSCALL] ntoskrnl.exe!NtCallbackReturn

[SYSCALL] ntoskrnl.exe!NtCallbackReturn

[SYSCALL] ntoskrnl.exe!NtWaitForWorkViaWorkerFactory

VMI_ERROR: Caught a memory event that had no handler registered in LibVMI @ GFN 9930 (0x26ca416), access: 2

robot@robot:~/drakvuf/src$ sudo ./drakvuf -r win7.json -d 3

DRAKVUF v0.2

robot@robot:~/drakvuf/src$

Hi. Now I am trying to analyze a malware sample which is a jar file. I tried to hijack the taskmgr.exe to execute it but failed. I had to execute it by double-clicking it.
Is this because now injector can only execute .exe files?

On running a simple trace by ./drakvuf I cannot see the CR3, PID, or RIP values. My host is Ubuntu 14.04 while the guest machine is Windows 7-SP 1.

After configuring the tool, system is hanging a lot.
The commands to set up dom0 specifies some RAM size for dom0.
Can we increase the size of RAM after dom0 setup.

Hi
I read below line somewhere:

Syscalls do not trap through the hypervisor, only SYSENTER/SYSEXIT instructions do.
When SYSENTER EIP MSR points are set, we must alter them to generate a page fault at a
known address. When the page fault takes place, we need to extract the wanted information.
all this must be done transparently to the OS.

could you please explain how DRAKVUF is trapping the syscalls then at Xen?

Relevant code:
https://github.com/tklengyel/drakvuf/blob/master/src/plugins/filedelete/filedelete.c#L288

The setinformation() function of the FILEDELETE plugin reads the address of the file info structure into the wrong pointer:

    reg_t handle = 0, fileinfo = 0, length = 0;

    if (pm == VMI_PM_IA32E) {
        // ...
    } else {
        ctx.addr = info->regs->rsp + sizeof(uint32_t);
        vmi_read_32(vmi, &ctx, (uint32_t*) &handle);
        ctx.addr += 2 * sizeof(uint32_t);
        vmi_read_32(vmi, &ctx, (uint32_t*) &info); // << Should output to fileinfo!
        ctx.addr += sizeof(uint32_t);
        vmi_read_32(vmi, &ctx, (uint32_t*) &length);
        ctx.addr += sizeof(uint32_t);
        vmi_read_32(vmi, &ctx, &fileinfoclass);
    }

    if (fileinfoclass == FILE_DISPOSITION_INFORMATION && length == 1) {
        uint8_t del = 0;
        ctx.addr = fileinfo;
        vmi_read_8(vmi, &ctx, &del);
        if (del) {
            //printf("DELETE FILE _FILE_OBJECT Handle: 0x%lx.\n", handle);
            grab_file_by_handle(drakvuf, info->vcpu, vmi, pm, info, handle);
        }
    }

Since the vmi_read iside the if block resulted in a NULL pointer this never caused a crash but silently disabled FILEDELETE on 32-bit.

I can include a fix in PR #36 or issue a new PR if preferred.

Hi. After I restore my windows 7 vm by xl restore, it went into blue screen.
Then I found this link. http://www.novell.com/support/kb/doc.php?id=7000036, which says "Windows queries a register on the front side bus in order to determine whether or not there are multiple processors. In some cases fully-virtual Windows machines, especially Windows Server 2003 R2, will load up only to blue screen later in the load process". So I changed the number of vcpu in the conf file to 1 and the problem is solved.
I suppose this is a problem in xen. However, drakvuf supports multiple vcpu in guest vm, right?

DRAKFVUF occasionaly fails to stop on SIGINT. The domain it was attached to gets paused but the drakvuf process must be killed with SIGKILL. In this case it's not possible to reattach DRAKVUF to the unpaused process:

xc: error: Failed to enable vm_event
 (16 = Device or resource busy): Internal error
VMI_ERROR: vm_event is (or was) active on this domain
VMI_ERROR: Failed to initialize xen events.

(process:28551): GLib-CRITICAL **: g_hash_table_destroy: assertion 'hash_table != NULL' failed

The issue came up when testing #102 but I was able to reproduce it on master too: although the first SIGINT was handled correctly after unpause and reattach the second SIGINT didn't work and I had to kill the process.

I am getting a Segmentation Fault (core dumped) on running ./drakvuf since the cpp update. Should there be any change in the installation instructions for this?

Hi,

Currently the Drakvuf Rekall offsets array (located at src/libdrakvuf/vmi.h) is not available for using within the plugins so, in the end, each plugin allocate each own Rekall offsets array, this way we're dealing with duplicated entries wasting memory as more plugins comes into play.

I agree isn't critical but in my humble opinion combining all the offsets into one and making this available for all plugins would be desirable.

What do you think about?

Take the following two pieces of code:
https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L270
https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L546

In the first case cr3 is defined as reg_t which is typedef'd as uint64_t by LibVMI, since the value is retreived by vmi_get_vcpureg(). In the second case the dtb variable is defined as uint32_t since the value is retreived using vmi_read_32_va(). This is causing me some headaches when trying to use those values as keys of a hash table for example, but probably this is not the only problematic use case.

Can you please provide some advice on how to resolve this issue properly?

Hi,
now that Windows7 mainstream support has ended (13th January 2015) Is there planned Windows 10 support in a near future?

It seems that Windows10 would be a preferable choice instead of Windows8

AFAIK the object manager has changed significantly but Rekall starts to support it

Regards

There is a nice debug "facility" in the FILEDELETE plugin that simply prints the name of the extracted file before invoking Volatility:

https://github.com/tklengyel/drakvuf/blob/master/src/plugins/filedelete/filedelete.cpp#L221

It seems (and for my purposes it definitely is) useful to have the filename without invoking a (pretty slow) external command. Can we enable this debug print by default? (Volatility can be trivially disabled without touching DRAKVUF if not needed) If yes, what would be the desirable output format?

I am very new with drakvuf and libVMI. I followed the instructions in http://drakvuf.com/.
When I compile drakvuf, I got an error which told me the definitions in libvmi/events.h mybe is to old for drakvuf.
So I download libvmi from https://github.com/libvmi/libvmi. But when I run ./configure, It shows that missing xen-events. I am stucked.
Do I need to add any parameters when I compile Xen?
Hypervisor: Xen 4.5.0
OS:CentOS 7
kernel:3.12.50
and I run this on VMware.

Hi i am facing a problem in trace collection.

since guest OS hangs on each run of drakvuf command.

It is difficult for me to take traces of around 1000 malware files.

Is there any way to execute all malwares and get the traces in a few commands??

Hi i am facing a problem in usage with DRAKVUF..

I was collecting traces of processes. I tried this command two three times for collecting traces of all processes. Output was comming.
But after sometime drakvuf does not give the trace and system automatically restarts

drakvuf.com is good source for installation of DRAKVUF, even for a lay user. According to me what i get after studing DRAKVUF, it support live file extraction and many others, but from DRAKVUF i could not learn about use of DRAKVUF. Only i get is process ijection and system calls. It would be a lot easier if Someone can past some more documentation about use. some user menual type stuff.

could you please clear this concept.

"How CPU is configured to trap to hypervisor not to guest os on occurrence of a syscall?"

Have you done some change in do_guest_trap() (file
xen/arch/x86/traps.c ) so that you can collect the information related to the process generating the trap?
What changes are done in the trap file to collected system call data.

Hi,
The injector seems to randomly stall at injection.
By random I mean that I call the injector - it stalls (see below) - then I destroy and restore the VM, reuse the exact same line with just the new domid inserted and it works. Any leads?
Btw. this did happen with older versions too, at least I observed it with a November release as well.

$ sudo injector /root/win.rekall.json 2 3320 "cmd.exe"
Init VMI on domID 2 -> win
Rekall profile: structure member 'Rip' not found
Failed to find offset for _KTRAP_FRAME:Rip
Reservation increased? 0 with new gfn: 0x3a764d
Xen altp2m view created with idx: 1 idr: 2
Injector starting cmd.exe through PID 3320
Target PID 3320 with DTB 0xb9e57180 to start 'cmd.exe'
Starting injection loop
Current thread: 92. Base: 0x84b6a5d0. ApcQueueable: 1.
Kernel stack base: 0x8c84bed0. Limit: 0x8c849000
Found target pid of 3320. PEB @ 0x7ffdf000. LDR @ 0x770f7880. INLOADORDER @ 0x1117f0.
Found module in PID 3320: taskmgr.exe
Found module in PID 3320: ntdll.dll
Found module in PID 3320: kernel32.dll
CreateProcessA @ 0x75482082
APC Normal routine @ 0x75482082. Kernel routine @ 0x828c002f
APC injected at 0x8c849000
Wrote trap to 0x75482082. Backup: 139

Here it stalls.

the clone.pl script at /tools doesn't work as follows:

$ sudo ./clone.pl win7 100
Can't get domid of domain name 'win7-100-clone', maybe this domain does not exist.
Can't get domid of domain name 'win7-100-clone', maybe this domain does not exist.

What I want to do is creating a clone of win7 which has been configured with vlan 100 using open-vswitch. The message says win7-100-clone doesn't exist. Of course it doesn't exist! It is what I want to create! So what's the right usage of this clone script and how should I configure the VM to be able to clone?

DRAKVUF was running well for tracing all normal processes.
But its showing some unexpected error now

ror now:

i restared everything right from libvmi rekall drak again...but lib vmi gives list but drakvuf shown error...rekall is giving output..

I am running Drakvuf on a Ubuntu host. I want to extract System Call parameters from a Windows 7 SP1 guest. How should I approach this?

Steps to reproduce:

• Start a domain
• Attach DRAKVUF to the domain (I disabled SYSCALLS and POOLMON for cleaner output)
• Do stuff
• Send Ctrl-C to DRAKVUF, the domain gets paused
• Unpause domain
• Attach DRAKVUF to the domain again
• Wait
• BSOD / VMI_ERROR

I was able to reproduce this on master with 32 and 64-bit Win7 VMs. The latest error msg I got was this (32-bit):

VMI_ERROR: Caught a memory event that had no handler registered in LibVMI @ GFN 760112 (0xb9930b0c), access: 6

On 64-bit EXMON usually catches an access violation in kernel mode:

[EXMON] EXCEPTION_RECORD: 166ce58 EXCEPTION_CODE: 10000004 FIRST_CHANCE: 1 RIP: 44c0b83 RAX: 0 RBX: 3c41610 RCX: d0b RDX: 232a000 RSP: 166d098 RBP: 72ffffb8 RSI: 61766441 RDI: 3c417c8 R8: 6860 R9: 500 R10: 2657000 R11:29c

Can anyone else reproduce this? Or is this expected behavior?

i installed drakvuf successfully but when i try to inject a process it gives error

root@noor-HP-ENVY-m6-Notebook-PC:~# injector /root/windows7-sp1.rekall.json 8 1820 calc.exe
Failed to enable altp2m on domain!

(process:9067): GLib-CRITICAL **: g_hash_table_iter_init: assertion 'hash_table != NULL' failed

(process:9067): GLib-CRITICAL **: g_hash_table_iter_next: assertion 'ri->version == ri->hash_table->version' failed

(process:9067): GLib-CRITICAL **: g_hash_table_destroy: assertion 'hash_table != NULL' failed

(process:9067): GLib-CRITICAL **: g_hash_table_destroy: assertion 'hash_table != NULL' failed
Segmentation fault (core dumped)

The DRAKVUF Paper explains very well about the break point injection techniques at windows by parsing the guest os symbol file and injecting break points.

How does break point injection technique works in linux machines? Can you provide me some detail information.

Thanks

I am tracing the execution of the system through ./drakvuf. Can't trace heap allocations or Files Accessed info. Host: Ubuntu 14.04, Guest: Windows7-SP1.

I am attempting to install DRAKVUF following this link of the drakvuf page. However I am facing an issue in setting up Xen 4.6 from source. Once I add the fstab entry of /proc/xen, run the update-rc.d and reboot, the system is unable to mount /proc/xen.

Can we try installing DRAKVUF at Xen 4.4. Could you suggest if it works at 4.4 ver. of Xen.

Thank you,

Hi,
I've updated the system to the latest commit yesterday and although the monitoring works just find, no process injection seems to take place. I've used the same injection command as before, sth. like
-e "cmd.exe" or -e "C:\Windows\System32\cmd.exe".
The rest of my resources are about a week old (mainly libVMI and Volatility) but there doesn't seem to be critical changes to those repos.

Any leads to a possible reason?

Thanks!

[Update] Just tried the injector binary. It just outputs Starting ... through PID ... and then stalls.

Hi,

after making a clean upgrade from DRAKVUF C variant to the latest C++ variant my Windows7 SP1 x64 DomU reboots unexpectedly.

No error/crash shows on the DRAKVUF screen so it makes no sense to use gdb, I've been able to reproduce it just enabling the EXMON plugin, unfortunately the restart is totally random so sometimes crash occurs after 2 DRAKVUF runs and sometimes after 6 runs (all runs using the timeout parameter):

root@vmi-test:/usr/local/src/drakvuf# ./configure --disable-plugin-syscalls --disable-plugin-poolmon --disable-plugin-objmon --disable-plugin-filedelete --enable-debug --disable-plugin-filetracer  --enable-debug
[snipped for brevity]
-------------------------------------------------------------------------------
DRAKVUF is configured as follows. Please verify that this configuration matches your expectations.

Host system type: x86_64-unknown-linux-gnu
Build system type: x86_64-unknown-linux-gnu
Installation prefix: /usr/local
-------------------------------------------------------------------------------
DRAKVUF Plugins
Syscalls:   no
Poolmon:    no
Filetracer: no
Filedelete: no
Objmon:     no
Exmon:      yes
-------------------------------------------------------------------------------

root@vmi-test:/usr/local/src/drakvuf# ./src/drakvuf -v -d win7-sp1-x64-2 -r /opt/dist/rekall/profiles/win7-sp1-x64.rekall.json  -t 30
DRAKVUF v0.2
Init VMI on domID 16 -> win7-sp1-x64-2
Rekall profile: '_KPCR' has no 'PrcbData' member
Failed to find offset for _KPCR:PrcbData
Reservation increased? 0 with new gfn: 0xa4b9b
Xen altp2m view created with idx: 1 idr: 2
Rekall profile: '_KTRAP_FRAME' has no 'Eip' member
Rekall profile: '_KTRAP_FRAME' has no 'Eax' member
Rekall profile: '_KTRAP_FRAME' has no 'Ebx' member
Rekall profile: '_KTRAP_FRAME' has no 'Ecx' member
Rekall profile: '_KTRAP_FRAME' has no 'Edx' member
Rekall profile: '_KTRAP_FRAME' has no 'Edi' member
Rekall profile: '_KTRAP_FRAME' has no 'Esi' member
Rekall profile: '_KTRAP_FRAME' has no 'Ebp' member
Rekall profile: '_KTRAP_FRAME' has no 'HardwareEsp' member
Inject traps in module list of [4]: System
        ntoskrnl.exe @ 0xfffff80002659000
Reservation increased? 0 with new gfn: 0xa4b96
Copied trapped page to new location
Activating remapped gfns in the altp2m views!
                New memory event guard set on page 10004
Creating new breakpoint guard lookup table @ 0x7ff202a846a0
                New memory event guard2 set on page 674710
Adding 0x2714c8c to breakpoint guard lookup table @ 0x7ff202a846a0.
                Trap added @ PA 0x2714c8c RPA 0xa4b96c8c Page 10004 for KiDispatchException.
Started DRAKVUF loop
Waiting for events in DRAKVUF...
Waiting for events in DRAKVUF...
*********
[snipped for brevity *BUT* the DomU has already crashed between these lines]
*********
Waiting for events in DRAKVUF...
Waiting for events in DRAKVUF...
DRAKVUF loop finished
VMI_ERROR: xc_hvm_set_mem_access failed with code: -1
VMI_ERROR: xc_hvm_set_mem_access failed with code: -1
close_vmi_drakvuf finished

The mentioned DomU is the same DomU used latest months for DRAKVUF tests (Windows Update disabled among other things), the LibVMI is the LibVMI cloned from tklengyel repository (today).

Just FYI this is my DomU config:

name = "win7-sp1-x64-2"

firmware_override = "/usr/local/lib/xen/boot/hvmloader"

builder='hvm'
memory = 1024
vcpus = 1
maxcpus = 1

hap  = 1
acpi = 1

on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'

vif = [ 'type=ioemu,model=e1000,bridge=xenbr1.200,script=vif-openvswitch,backend=0,mac=00:06:5B:66:66:66' ]
disk = [ 'phy:/dev/analyzers/win7-sp1-x64-2,hda,w',
'file:/opt/iso/win7.iso,hdc:cdrom,r' ]

boot="cd"

vnc=1
vnclisten='0.0.0.0'
vncpasswd=''
vncunused=0
vncdisplay=2

serial = 'pty'
usb = 1
usbdevice = 'tablet'
altp2mhvm = 1
keymap = 'es'
vga = 'stdvga'
videoram = 16

DRAKVUF/LibVMI before the upgrade to C++ was running perfect with the same DomU.

Don't hesitate to contact me if you need anything else

Regards

Hi @tklengyel,
it's me again, :)

I wonder why the Xen memory sharing between the origin and the clone domains is not used...
Is there any kind of issues arising with HVM domains?

Cheers,

Robert

Hi,
I don't know for sure if this is the right place to ask a question but haven't found any mailing list or forum, my apologies in advance.

I wonder how difficult would be to make libdrakvuf thread safe, apart from the usual suspects as the global variables from the libdrakvuf itself (the arrays "offsets" and "struct_sizes" being the main candidates) and the global variables from the plugins, it doesn't seem impossible to me but perhaps there is something I'm unaware of...

All the data needed can be encapsulated into the drakvuf_t struct and used as a drakvuf session along the code, in fact that's how it seems to be already thought.

Regards and keep up the good work

Hi,

I am installing DRAKVUF but afer running make -j4 install xen.
Error: EFI_VENDOR not set comes. I tried to fix the issue but i could not resolved it.

Also, I searched Xen 4.6 compatibility with UBUNTU 14.04. I found that ubuntu 14.04 has no repository for installing xen 4.6. However, it has repository for xen 4.4.

Is this related with the compatibility issue with ubuntu 14.04 kernel?

The install guide at drakvuf.com provides the following command to use for installing VMI address space support:

cp ../libvmi/tools/pyvmi/pyvmiaddressspace.py volatility/plugins/addresspaces

The destination path is incorrect, the correct path is:

cp ../libvmi/tools/pyvmi/pyvmiaddressspace.py volatility/plugins/addrspaces

Hi. I did what "automated malware analysis setup" says with the latest version of drakvuf whose main.cpp has been fixed. However, after the execution of preconfig.sh, it shows "failed to execute on domid because of a time out, creating new clone". Then the creation of new clone repeats.
Is this timeout because of apache2? The apache2 seems not working well with Ubuntu. I did what https://log.axcoto.com/article/164442852 tells, but I am not sure this really works out or not.
Btw, should I change the "MrX" to my username in the preconfig.sh?

I have installed DRAKVUF and i am able to extract the traces of different processes for syscall interrupt.
How to extract the traces of hypercalls?

I'm trying to create a new plugin based on objmon. I noticed that the plugin_myplugin_init() method never runs so I checked objmon and found the same behavior by simply recompiling the plugin with a debug printf() in the plugin_objmon_init() method (no output when running).

Neither can I observe any output from the objmon plugin.

While investigating the issue I also noticed that the #ifdef in plugins.h around PLUGIN_OBJMON refers to configuration options of the filedelete plugin, see: https://github.com/tklengyel/drakvuf/blob/master/src/plugins/plugins.h#L130

Unfortunately this can't be the cause of the issue as both plugins were enabled.

My window guest OS hangs after DRAKVUF run (even with -t option).

I have to destroy and create window image everytime i want to collect traces of system.

On the latest master enabling the SYSCALLS plugin makes DRAKVUF stuck after displaying the following debug output:

DRAKVUF v0.2
Init VMI on domID 20 -> testx86
Rekall profile: '_KTRAP_FRAME' has no 'Rip' member
Failed to find offset for _KTRAP_FRAME:Rip
Reservation increased? 0 with new gfn: 0x39942c
Xen altp2m view created with idx: 1 idr: 2

Meanwhile the drakvuf process consumes ~95% of the available memory. Can't exit the program, have to kill it. Guest: Win7 32-bit.

Hi, this may not be a right place for asking this question. However, I would like to take some suggestion on following issue.

I have a patch in Xen which stores some information of VM process. I have another program running in Dom0 which intercept this information.

i) I want to configure my patch running in Xen to send the alert notification to program running in Dom0 to read data, probably using event channels. How to configure event channel?
ii) Which API or command will be used to read the data from patch buffer.

Thanks in anticipation,

Hi,

I was curious to see if this setup will work, so I am going to document the results here.

So far by enabling nested virtualization in VMWARE Workstation 9, I see

zashraf@ubuntu12:$ sudo modprobe msr
zashraf@ubuntu12:$ sudo rdmsr 0x3A
5

and /proc/cpuinfo also shows vmx and ept in flags.

Now following the instructions from drakvuf.com I am working on resolving the rekall_profile issue as running process_list says

VMI_ERROR: Rekall profile error on line 1: '[' or '{' expected near distorm.

BTW I am using latest version of Rekall (1.4).

Can anyone post how rekall profiles look from a working setup?

Thanks

I want to collect system call traces of specific processes running inside Guest VMs.

1. There is a related question here #3, but has this been integrated in the current version of Drakvuf?
2. Is there any way to collect hypercalls invoked by the GuestOS kernel to provide a low level memory access to user processes?
   Thanks

I manually add a pid parameter to the function inject_traps(honeymon_clone_t *clone) so as to specify the pid to monitor( https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L518).

And I replace the default system process with this parameter.(https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L526)

However, the execution of drakvuf seems to be still monitoring the whole functions calls of ntoskrnl.exe, instead of the one initialized by the specified process. In my experiment, a calc.exe process is monitored and closed after sometime while drakvuf still constantly produce outputs, which is awkward.