DRAKVUF Sandbox documentation

DRAKVUF Sandbox is an automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.

This project provides you with a friendly web interface that allows you to upload suspicious files to be analyzed. Once the sandboxing job is finished, you can explore the analysis result through the mentioned interface and get insight whether the file is truly malicious or not.

Because it is usually pretty hard to set up a malware sandbox, this project also comes with installation toolkit that would help you get through the necessary steps.

It’s highly recommended to have a basic knowledge about Xen hypervisor that would help you debug issues that may depend on your hardware.

User guide

• What’s changed, how to upgrade?
  • v0.20.0
  • v0.19.0
• Getting started
  • Supported hardware & software
  • First steps: Basic installation
  • Creating initial Windows VM snapshot
  • Modifying Windows VM snapshot
  • Checking if Drakvuf works correctly
  • Setting up analysis worker and web UI
  • Building from sources
• Basic usage
  • Uploading a file for analysis
  • Viewing analysis results
  • Viewing recent analyses
• Advanced configuration
  • Supported configuration fields
  • Advanced DRAKVUF engine configuration
  • Changing post-restore script
  • Customizing network configuration
  • Configuration presets
• Optional features
  • S3 integration
  • ZFS storage backend
  • CLI analysis
  • Using “drakshell” command
  • Using “injector” command
  • Spawning Drakvuf engine manually
  • Networking
  • MS Office file support
• Managing snapshots
  • Snapshot modification
  • Importing and exporting snapshots
• Troubleshooting
  • Debug device model did not start
  • Debug can't allocate low memory for domain

Misc

• DRAKVUF Sandbox FAQ
• Using drakpdb tool
• Using Intel Processor Trace Features (Experimental)