rVMI: Perform Full System Analysis with Ease

Manual dynamic analysis is an important concept. It enables us to
observe the behavior of a sophisticated malware sample or exploit by
executing it in a controlled environment. The information gathered
through this process is often crucial in gaining a full understanding
of a sample.

When performing manual dynamic analysis today, there are essentially
two tools one can use: debuggers and sandboxes. While both of these
tools are certainly very valuable, neither has been designed for the
purpose of manual dynamic analysis. As a consequence, both approaches
have inherent shortcomings that make interactive dynamic analysis
difficult and tedious.

In this blog post we present a novel approach to manual dynamic
analysis: rVMI. rVMI was
specifically designed for interactive malware analysis. It combines
virtual machine introspection (VMI) and memory forensics to provide a
platform for interactive and scriptable analysis. This blog post
follows our presentation at Black
Hat USA 2017
.

What is rVMI?

rVMI can best be described as debugger on steroids. In contrast to
traditional debuggers, rVMI operates entirely outside of the target
environment and allows the analysis of a live system from the
hypervisor-level. This is achieved by combining VMI with memory forensics.

In particular, rVMI makes use of full system virtualization to move
the debugger out of the virtual machine (VM) to the hypervisor-level.
As a result, the debugger runs isolated from the malware executed in a
QEMU/KVM VM. This gives
the analyst complete control over the target through VMI while keeping
the malware in an isolated, debugger free environment. In addition,
this enables an analyst to pause and resume the VM at any point in
time as well as making use of traditional debugging functionality such
as breakpoints and watchpoints.

To bridge the semantic gap and support full system analysis, rVMI
makes use of Rekall.
Rekall is a powerful open
source memory forensics
framework. It provides a wide range of
features that allow one to enumerate processes, inspect kernel data
structures, access process address spaces, and much more. While Rekall
usually works with static memory dumps, rVMI extends Rekall to support
live VMs. This enables an analyst to leverage the entire Rekall
feature set while performing an analysis with rVMI, effectively
allowing them to inspect user space processes, kernel drivers, and
even pre-boot environments with a single tool.

rVMI supports all operating systems that Rekall supports, including
Windows (XP-10), Linux, and Mac OS X. Analysis is performed through an
iPython shell that makes all
Rekall and VMI features available through a single interface. In
addition, rVMI provides a Python API that makes it easy to automate
tasks through external scripts or on-the-fly within the iPython shell.
Finally, rVMI supports snapshots, which allows an analyst to easily
save or restore states of the target environment.

rVMI in Action

Think of rVMI as a debugger regarding its interface and how you
interact with it. This interface is implemented as an iPython shell
that the analyst can interact with. Once connected, rVMI will leverage
Rekall to automatically detect the operating system that is running.
Rekall currently provides profiles for Windows, Linux, and Mac OS X.
In addition, we added support for pre-boot environment analysis (e.g.
to analyze bootkits). Pausing and resuming the system is realized
through simple commands. Once the system is paused, one can leverage
any of the commands Rekall supports to further analysis. Demo 1
demonstrates inspecting a kernel data structure using the Rekall
profile object.

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog