S. G. Kovalev, “Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf”, Proceedings of ISP RAS, 30:5 (2018), 109

Proceedings of the Institute for System Programming of the RAS

RUS ENG

JOURNALS PEOPLE ORGANISATIONS CONFERENCES SEMINARS VIDEO LIBRARY PACKAGE AMSBIB

JavaScript is disabled in your browser. Please switch it on to enable full functionality of the website

	General information
	Latest issue
	Archive

	Search papers
	Search references

	RSS
	Latest issue
	Current issues
	Archive issues
	What is RSS

Proceedings of ISP RAS:
Year:
Volume:
Issue:
Page:
	Find

Personal entry:
Login:
Password:
	Save password
	Enter
	Forgotten password?
	Register

Proceedings of the Institute for System Programming of the RAS, 2018, Volume 30, Issue 5, Pages 109–122
DOI: https://doi.org/10.15514/ISPRAS-2018-30(5)-7 (Mi tisp364)

This article is cited in 1 scientific paper (total in 1 paper)

Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf

S. G. Kovalev

Positive Technologies

Full-text PDF (680 kB) Citations (1)

References:

PDF

HTML

DOI: https://doi.org/10.15514/ISPRAS-2018-30(5)-7

Abstract: The article discusses ways to get the content of files, which are modified during the processing in the well-known open source dynamic analysis environment Drakvuf. Drakvuf initially implemented file saving functionality based on the use of undocumented mechanisms for working with the system cache. The author of this article proposes a new approach to obtaining the content of files on Microsoft Windows family systems using Drakvuf. The proposed approach is based solely on the use of the public interface of the kernel by the hypervisor and provides portability between different versions of the operating system. In the conclusion of the article, the advantages and disadvantages of both approaches are presented, and directions for further work are proposed.

Keywords: malware, dynamic analysis, injection, Drakvuf, Virtual Machine Introspection.

Document Type: Article

Language: English

Citation: S. G. Kovalev, “Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf”, Proceedings of ISP RAS, 30:5 (2018), 109–122

Citation in format AMSBIB

\Bibitem{Kov18}

\by S.~G.~Kovalev

\paper Reading the contents of deleted and modified files in the virtualization based black-box binary analysis system Drakvuf

\jour Proceedings of ISP RAS

\yr 2018

\vol 30

\issue 5

\pages 109--122

\mathnet{http://mi.mathnet.ru/tisp364}

\crossref{https://doi.org/10.15514/ISPRAS-2018-30(5)-7}

Linking options:

https://www.mathnet.ru/eng/tisp364

https://www.mathnet.ru/eng/tisp/v30/i5/p109

This publication is cited in the following 1 articles:

Citing articles in Google Scholar: Russian citations, English citations
Related articles in Google Scholar: Russian articles, English articles

Proceedings of the Institute for System Programming of the RAS

Statistics & downloads:
Abstract page:	155
Full-text PDF :	105
References:	27

Что такое QR-код?

Registration to the website

Logotypes