- In
/etc/drakrun/config.ini
, addipt
plugin under[drakvuf_plugins]
section__all__
in order to enable IPT tracing. - In
/etc/drakrun/scripts/cfg.template
add a new entry:vmtrace_buf_kb = 8192
- Execute
systemctl restart drakrun@1
(repeat for each drakrun instance if you have scaled them up).
In order to analyze IPT data streams, you need to install libipt
, xed
, ptdump
(modified), ptxed
and drak-ipt-blocks
tools.
- Perform an analysis with IPT plugin enabled
- Download the completed analysis from MinIO to your local hard drive
- Find CR3 of the target process you want to disassemble (hint: syscall.log will contain CR3 values)
- Execute
drak-ipt-disasm --analysis . --cr3 <target_process_cr3> --vcpu 0
- After few minutes it should start printing full trace disassembly of the targeted process
- You can also try --blocks switch for drak-ipt-disasm to get a list of executed basic blocks for this process
Example (executed basic blocks):
Example (full usermode disassembly):