Skip to content

Latest commit

 

History

History
98 lines (75 loc) · 3.28 KB

ipt.rst

File metadata and controls

98 lines (75 loc) · 3.28 KB
Raw

Using Intel Processor Trace Features (Experimental)

Enable IPT plugin in drakrun

  1. In /etc/drakrun/config.ini, add ipt plugin under [drakvuf_plugins] section __all__ in order to enable IPT tracing.
  2. In /etc/drakrun/scripts/cfg.template add a new entry: vmtrace_buf_kb = 8192
  3. Execute systemctl restart drakrun@1 (repeat for each drakrun instance if you have scaled them up).

Install required extra dependencies

In order to analyze IPT data streams, you need to install libipt, xed, ptdump (modified), ptxed and drak-ipt-blocks tools.

Generate trace disassembly

  1. Perform an analysis with IPT plugin enabled
  2. Download the completed analysis from MinIO to your local hard drive
  3. Find CR3 of the target process you want to disassemble (hint: syscall.log will contain CR3 values)
  4. Execute drak-ipt-disasm --analysis . --cr3 <target_process_cr3> --vcpu 0
  5. After few minutes it should start printing full trace disassembly of the targeted process
  6. You can also try --blocks switch for drak-ipt-disasm to get a list of executed basic blocks for this process

Example (executed basic blocks):

Example (full usermode disassembly):