search

decaf-project / DECAF

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.
GNU General Public License v3.0
807 stars 168 forks source link

Is there any way to implement VMI without using procinfo_generic? #102

Open RLee063 opened 1 year ago

RLee063 commented 1 year ago

In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it.

So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work?

NOTE: This is not a request for DECAF enhancement, just a free technical discussion.

hengyin commented 1 year ago

Yeah, it is actually possible. Check out our recent paper

https://www.ndss-symposium.org/ndss-paper/auto-draft-193/

Heng

On Sun, Sep 10, 2023, 9:51 PM RLee063 @.***> wrote:

In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it.

So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work?

NOTE: This is not a request for DECAF enhancement, just a free technical discussion.

— Reply to this email directly, view it on GitHub https://github.com/decaf-project/DECAF/issues/102, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWJ2RSRDNAOGTZZUTNAPL3XZ2KGHANCNFSM6AAAAAA4SW4RDU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

RLee063 commented 1 year ago

Yeah, it is actually possible. Check out our recent paper https://www.ndss-symposium.org/ndss-paper/auto-draft-193/ Heng On Sun, Sep 10, 2023, 9:51 PM RLee063 @.> wrote: In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it. So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work? NOTE: This is not a request for DECAF enhancement, just a free technical discussion. — Reply to this email directly, view it on GitHub <#102>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWJ2RSRDNAOGTZZUTNAPL3XZ2KGHANCNFSM6AAAAAA4SW4RDU . You are receiving this because you are subscribed to this thread.Message ID: @.>

Many thanks, I'll take a look at this.

BTW, are there any other tools like DECAF that can provide VMI capability and are compatible with higher versions of QEMU?