Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf
The article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache....
| الحاوية / القاعدة: | Труды Института системного программирования РАН |
|---|---|
| المؤلف الرئيسي: | |
| التنسيق: | مقال |
| اللغة: | الإنجليزية |
| منشور في: |
Russian Academy of Sciences, Ivannikov Institute for System Programming
2018-12-01
|
| الموضوعات: | |
| الوصول للمادة أونلاين: | https://ispranproceedings.elpub.ru/jour/article/view/1108 |
| الملخص: | The article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache. The author of this article proposes a new approach to obtaining the content of files on Microsoft Windows family systems using Drakvuf. The proposed approach is based solely on the use of the public interface of the kernel by the hypervisor and provides portability between different versions of the operating system. In the conclusion of the article, the advantages and disadvantages of both approaches are presented, and directions for further work are proposed. |
|---|---|
| تدمد: | 2079-8156 2220-6426 |