DRAKVUF
A virtualization-based agentless black-box binary analysis system for stealthy execution tracing.
What is DRAKVUF?
DRAKVUF is a virtualization-based agentless black-box binary analysis system that allows for in-depth execution tracing of arbitrary binaries, including operating systems, without installing any software within the virtual machine used for analysis. It leverages Intel hardware virtualization extensions to monitor system execution from outside the VM, providing a stealthy platform for security research and malware investigation.
Security researchers, malware analysts, and forensic investigators who need to perform stealthy, in-depth binary analysis of Windows and Linux systems in virtualized environments.
DRAKVUF offers a unique agentless approach to binary analysis that minimizes detection risk by operating entirely outside the target VM, using hardware virtualization for deep system introspection without the need for in-guest instrumentation.
Overview
DRAKVUF Black-box Binary Analysis
Use Cases
Best For
- Stealthy malware analysis in virtualized sandboxes
- Black-box binary execution tracing without in-VM agents
- Security research on Windows and Linux kernel behavior
- Forensic analysis of firmware and operating system interactions
- Building automated analysis sandboxes for suspicious binaries
- Low-level system introspection using Intel VT-x and EPT
Not Ideal For
- Teams using AMD processors or Intel CPUs without Extended Page Tables support
- Developers needing quick, application-level debugging without virtualization overhead
- Production environments requiring real-time system monitoring with minimal performance impact
- Projects focused exclusively on the latest operating systems like Windows 11 or Linux kernels beyond 6.x
Pros & Cons
Pros
Eliminates the need for in-VM software installation, significantly reducing detection risk by malware, as emphasized in the README's agentless analysis feature.
Leverages Intel VT-x and EPT for low-level introspection that is nearly undetectable from within the target VM, making it ideal for stealthy malware investigation.
Compatible with Windows 7-10 and Linux 2.6.x-6.x, both 32-bit and 64-bit, providing flexibility for analyzing a range of systems.
Can monitor firmware, OS kernels, and user-space processes, offering deep execution insights, as highlighted in the broad monitoring scope.
Cons
Only works on Intel CPUs with VT-x and EPT, excluding AMD and older Intel processors, which severely limits hardware compatibility and creates vendor lock-in.
Installation steps are hosted on an external website (drakvuf.com), indicating a non-trivial setup process that may require advanced technical expertise and time.
Does not support the latest operating systems like Windows 11 or recent Linux kernels beyond 6.x, potentially hindering analysis of modern software without updates.
Frequently Asked Questions
Related Projects
malice.ioVirusTotal Wanna Be - Now with 100% more Hipster
NoribenNoriben - Portable, Simple, Malware Analysis Sandbox
HaboMalHunterHaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.
LimonLimon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.