Understanding the sandbox
Tech stack
DRAKVUF Sandbox is built on top of a few layers of software and hardware technologies:
Intel VT-x and EPT - extensions to x64 architecture that allow to run virtual machines natively on a CPU
Xen - hypervisor, spawns virtual machines and exposes interfaces for interaction and introspection
LibVMI - abstracts away introspection interfaces, provides utilities for reading/writing VM memory, parsing VMs’ kernel and handling notifications about certain events happening in a VM
DRAKVUF - stealthily hooks various parts of a guest VM and logs interesting events
DRAKVUF Sandbox - provides user friendly interface and high level analyses
Project structure
DRAKVUF Sandbox is divided into two packages:
drakcore - system core, provides a web interface, an internal task queue and object storage
drakrun - sandbox worker, wrapper for DRAKVUF, responsible for managing VMs, running analyses and sending results for further postprocessing.
Note
DRAKVUF engine is a separate project authored by Tamas K Lengyel.
DRAKVUF Sandbox is built around karton – microservice framework created at CERT Poland as a specialized tool for building flexible malware analysis pipelines. Its main goal is routing tasks between multiple services.
Daemons
drakcore package
drak-web
- web interface that allows user to interact with the sandbox with either REST API or GUIdrak-system
- internal task management system, using for dispatching jobs between workersdrak-minio
- builtin object storage in which analysis results are storeddrak-postprocess
- responsible for processing raw analysis logs into more usable form
drakrun package
drakrun 1..n
- fetches incoming samples for analysis, runs VMs, and sends back results of analysis; each daemon handles one concurrent VM
Lifecycle of a analysis
User submits new analysis with a browser or programatically using karton API.
drak-system
dispatches the job to one of thedrakrun
instances.drakrun
runs the analysis:preconfigured virtual machine image is restored
sample is uploaded to the VM using DRAKVUF’s
injector
sample is executed
after a chosen timeout, virtual machine is destroyed
Raw results (dumps, logs, pcaps) are sent back to
drak-system
as a karton task.drak-system
dispatches a task todrak-postprocess
which extracts interesting data for the user