DRAKVUF 1.0

What's New

Support added to build DRAKVUF with the Meson build system, increasing the speed with which the project can be built.

Several new plugins contributed by the community:

• SprayMon #1397
• CallbackMon #1380
• HideVM #1499
• PTraceMon #1514
• EBPFMon #1517
• UnixSocketMon #1521
• ETWMon #1553

As usual there has been a large number of performance improvements and bugfixes, as well as an upgrade to the latest Xen release of 4.17.0.

Changes in terms of lines of code: +24610, -7848

Regular contributors

Thanks for the ongoing contributions by @manorit2001, @disaykin, @archercreat, @chivay, @skvl, @BonusPlay! Cheers!

New Contributors

• @BlindingRadiance made their first contribution in #1397
• @delvinru made their first contribution in #1427
• @piotr-krysiuk made their first contribution in #1455
• @blsvntn made their first contribution in #1499
• @malwarectigouvfr made their first contribution in #1527
• @batennik made their first contribution in #1544

Full Changelog: 0.8...1.0

DRAKVUF 0.8

In this release you will find new plugins:

codemon
hidsim
filetracer for linux
procdump2
tlsmon
rpcmon
rootkitmon
exploitmon
ipt

There has also been a major cleanup to libinjector with improvements and bugfixes, as well as improvements to the libhook and libusermode libraries. This release works best with Xen 4.16 or later.

Thank you for all the contributors in this release: Adam Kliś, Ayush Dosa, Dmitry Isaikin, exescript, Hubert Jasudowicz, Id3aFly, Jan Gruber, Kağan IŞILDAK, Konstanty Cieśliński, Manorit Chawdhry, Michał Leszczyński, Pavel, Pwnosaur, Sergey Kovalev

DRAKVUF 0.7

In this release you will find new plugins and tools such as:

• procdump
• apimon
• REPL

A new helper library was also added: libusermode. It helps with monitoring usermode code. In this release we also switched to using Volatility 3's IST JSON profiles. Requires Xen 4.14 or later which includes several bugfixes and performance improvements to the VMI subsystem.

Thanks to all the contributors in this release: @icedevml @skvl @zodeak @disaykin @kaganisildak @BonusPlay @sasza8 @chengsteven @4M4Z4 @kscieslinski

DRAKVUF 0.6

This latest release contains a lot of bugfixes and improvements. Injector now supports Linux as well. Requires Xen 4.12.1 or later.

There are a bunch of new plugins as well:

• Regmon
• Procmon
• BSODmon
• EnvMon
• CrashMon
• ClipboardMon
• WindowMon
• LibraryMon
• DKOMmon
• WMIMon
• MEMDump

DRAKVUF 0.5

The latest release moves the project onto Xen 4.9 and also includes::

• Adding support up to Windows 10!
• New plugin added, socketmon: monitor TCP and UDP connections for Windows machines
• Changing filetracer to use syscalls instead of monitoring ExAllocatePoolWithTag
• The syscall plugin now also prints detailed arguments for Windows guests
• Variety of bugfixes and improvements

DRAKVUF 0.4

This release is based on Xen 4.8 and includes two new plugins: cpuidmon and debugmon! Furthermore, this release also includes support for monitoring system calls in Linux guests.

DRAKVUF 0.3

DRAKVUF 0.3 release runs on a custom version of Xen 4.7 and includes many bugfixes and improvements, including new plugin to monitor malware modifying the SSDT. It is the most stable version of DRAKVUF to date.

DRAKVUF 0.2.1

Various fixes to the 0.2 release:

• timeout only starts at loop start
• do injection with drakvuf binary before plugin/loop start
• speed-up trap addition by not looping entire module list for RVA based traps

DRAKVUF 0.2

DRAKVUF 0.2 release runs on Xen 4.6 and adds support to multi-vCPU guests. This release also re-organizes the internals of DRAKVUF to allow developers to interact with the generic monitoring capability of DRAKVUF via a plugin system.

DRAKVUF 0.1

This is the initial, alpha release of DRAKVUF. It works with Xen up to 4.5 and supports Windows 7 32 and 64-bit versions.