This release is a complete rewrite of the Drakvuf Sandbox project. Documentation can be found on Read the Docs.

After "Adiós Edition" - it's finally time for "Hola De Nuevo Edition" 👋. If you've been here since v0.18.x, you might have noticed that a lot of things have changed:

• we switched from Karton to RQ for maintaining an analysis queue.
• local filesystem is the primary storage for analyses, but you can optionally use S3 as well.
• "draksetup" is now "drakrun". It's not only a CLI configuration tool, but a rich toolkit that can be used for spawning manual analyses and Drakvuf debugging.
• we have new, much more convenient Web UI with basic summary (based on Drakvuf logs), improved live interaction, screenshots from analysis and log view that supports filtering

List of major changes can be found in "What's changed" documentation section.

Below is the changelog comparing this release to v0.19.0-alpha3:

New changes and improvements:

• S3 integration support (#1076)
• Snapshot import/export to local directory (#1078)
• Configuration presets for worker-side analysis defaults (#1081)
• Compact log index (#1075)
• UI: download buttons for pcap and dumps (#1093)
• UI: checkboxes disabling Internet and screenshots (#1094)
• Drop dead code for ProcDOT graph generation (#1098)
• postprocessing: Parse NtTerminateProcess to get exit code and killer PID (#1099)
• Improved dumps cropping logic (#1103)
• Summary report (#1101)
• Optional gzipping of syscall.log (#1097)
• Feature: execution start timestamp and remaining analysis time indicator (#1105)

Bugfixes:

• Don't double-escape argv in get_startup_argv (#1083)
• Wrong relative dir check in prepare_output_dir (#1085)
• Drakvuf working dir is now set to analysis output dir (#1084)
• Fix PEB_LDR_DATA in drakshell/nt_loader.c (#1088)
• Set job status to 'unknown' instead of None/missing key when status is unavailable (#1090)
• Fix issues when start_command is provided as str instead of list (#1091)
• Handle changed PPID in case of elevation (#1092)
• Don't pass DNS traffic (dport 53) when net_enable=False (#1095)
• Set generated password length to 8 (this is the maximum length for VNC) (#1096)
• check_root is called only for CLI commands that actually require root (#1109)
• Fix for various issues in LogViewer, mainly race conditions (#1110)
• Fix for too strict CAPA validation (#1115)

Full Changelog: v0.19.0-alpha3...v0.19.0

Latest documentation can be found here: https://drakvuf-sandbox.readthedocs.io/en/latest/usage/getting_started.html.

Package is available on PyPi as well, but it's still a pre-release version, so it's highly recommended to build DRAKVUF Sandbox from sources: https://drakvuf-sandbox.readthedocs.io/en/latest/usage/getting_started.html#building-from-sources

New features and improvements:

• Automatic screenshots during analysis process (#1052, #1063)
• drakweb: Moved API endpoints under /api prefix. API is now documented and using flask-openapi3 for generating OpenAPI specification and validation (#1068)
• drakweb: Filtered process logs viewer (#1064)
• Sample is run using injector and drakshell is evacuated on injection. It's recommended to run this version with latest DRAKVUF to include this patch (#1047)
• Minimal Python version is now 3.9 (#1055)
• DRAKVUF analysis report generation -report.json (by @yelhamer in #940)
• Unified status and metadata.json - use /api/status endpoint instead of /metadata to get the basic information about analysis task (#1061)

Bugfixes:

• Fix: missing mkdirs VMI_PROFILES_DIR/PDB_CACHE_DIR (#1045)
• Fix: resolve ISO path, VM-0 won't reboot with relative one (#1044)
• Fix: capa-rules submodule reference (#1057). Pinned capa-rules and capa to 7.4.0 (#1059)
• Fix memdump directory mismatch (by @grzetzp in #1071)

Known issues:

• drakrun mount doesn't work (#1070)

Full Changelog: v0.19.0-alpha2...v0.19.0-alpha3

Installation guide: See Getting started section in documentation.

Warning: Building package for Debian Bullseye doesn't work.

Changelog:
TBD

Major rework of the Drakvuf Sandbox project. More about current plans for v0.19.0 can be found in this issue.

To try out the alpha version, you can try the following commands:

• Drakvuf Sandbox package can be installed using the following command: pip install drakvuf-sandbox==0.19.0a2. It should be installed on the top of working Drakvuf/Xen installation in Dom0. Virtualenv highly recommended.
• drakrun CLI command that has similar capabilities to draksetup (drakrun install, drakrun postinstall
• drakrun worker that spawns the rq worker for processing the analysis queue.
• flask --app drakrun.web.app:app run --with-threads to try out the new web UI.

Right now we don't have any documentation nor support for migration from earlier versions. This release was made to mark a certain milestone in further development and test the current package publishing workflow.

Full Changelog: v0.19.0-alpha1...v0.19.0-alpha2

Changelog: TBD

Full Changelog: v0.18.2...v0.19.0-alpha1

Installation guide: See Getting started section in documentation.

Warning: Importing snapshot to ZFS storage doesn't work. Fixed in #666 😈 (release v0.18.2 soon...)

Changelog:

• drakrun: Ensure OS_INFO.json exists before accessing it (#658) (#661)

Installation guide: See Getting started section in documentation.

Warning: Upgrading from previous version may fail with missing OS_INFO.json.

Changelog:

• Update shadow_memory to 32 (#649) (contributed by @manorit2001)
• Add analysis_uid to metadata.json (#647)
• Add root check before sanity test (#640) (contributed by @manorit2001)
• Add ApiScout profile to do_export_full and do_import_full (#630)
• Bump snapshot version for generating OS_INFO.json (#643)
• drakrun: Add missing T_64PCHAR pdbparse base_types (#642) (contributed by @Jack28)
• drakrun: Dump raw guest VM memory feature (#621) (contributed by @pavveu7)
• Add missing advapi32.dll in drakpdb.py (#631)
• drakrun: Add apiscout profiles (#625)
• debian: Install systemd units to /lib/systemd (#628)
• draksetup: Check for missing default.target.wants (#617)
• Fix GUID_AGE in $METADATA (#618)
• drakrun, drakcore: Reraise exceptions for karton (#616)
• Extract macros only from some office formats (#610)
• Stop relying on NtTerminateProcess in pstree (#607)
• drakrun: Silence benign errors (#606)
• Improve help messages (#612, #645)

Changelog:

• Fixed RTF file analysis (#610)

Changelog:

• Silenced sample errors (#606)
• Fixed process tree generation (#607)