SHARP CPU COST AND HALT AT STOP about drakvuf HOT 7 CLOSED

BTW, the vm halted when I stopped drakvuf with Ctrl+C

from drakvuf.

On Mon May  4 2015 03:44:35 AM CEST, aweally [email protected] wrote:

BTW, the vm halted when I stopped drakvuf with Ctrl+C

That's by design so that the malware doesn't continue to run without an observer.

---

Reply to this email directly or view it on GitHub:
#2 (comment)

from drakvuf.

On Mon May  4 2015 03:41:18 AM CEST, aweally [email protected] wrote:

When I run the ./dravuf cmd to monitor the execution of the guest vm,
the vm's cpu cost sharply increase and keep running at 100%. After
inspect the task manager, I found the major cost is caused by
taskmgr.exe itself. So was it because dravuf runs default to inject
taskmgr and how can I reduce the impact on vm's running?

Drakvuf can inject into any executing process, you don't need taskmgr for that. The cpu spike taskmgr shows I have noticed as well but I haven't been able to track down the root cause.

---

Reply to this email directly or view it on GitHub:
#2

from drakvuf.

Thanks for your reply. Here're another two questions.

1. How can I assign a particular process to monitor instead of all execution of the os? The current outputs are really noisy and performance costing. I'd like to extract the actual behavior of one particular process so as to do deeper analysis with other tools.
2. The injector function of drakvuf is really amazing. However, it might also be used to attack the vm. So is there any way to prevent it from inside the vm?

Best wishes.

from drakvuf.

On Mon May  4 2015 10:18:50 AM CEST, aweally [email protected] wrote:

Thanks for your reply. Here're another two questions.

1. How can I assign a particular process to monitor instead of all
   execution of the os? The current outputs are really noisy and
   performance costing. I'd like to extract the actual behavior of one
   particular process so as to do deeper analysis with other tools.

Right now the target of the inspection is the OS. To monitor a process it would be the same method - get it's debug symbols and inject breakpoints in the function entry points. At that point it will be effectively just regular debugging so you might just want to use gdb for that.

1. The injector function of drakvuf is really amazing. However, it might
   also be used to attack the vm. So is there any way to prevent it from
   inside the vm?

Thanks ;) There really isn't much the VM can do. That's why you should protect your dom0 and your hypervisor. Once those are compromised it's pretty much game over.

Best wishes.

---

Reply to this email directly or view it on GitHub:
#2 (comment)

from drakvuf.

All right. I guess I need to check out the source code and find where I can add monitoring function of specific process. Is there any IRC channel for drakvuf so I can discuss it with you?

from drakvuf.

I'm usually on #libvmi on Freenode!

from drakvuf.