DRAKVUF allows to inject a binary directly into a running virtual machine. The current implementation uses either CreateProcessA() or ShellExecuteA() from the Windows API, which implies to have the program we want to execute into the guest’s filesystem. Furthermore, once the function is called, the process will have the name of that file. It can further lead a malware to detect the presence of DRAKVUF if we run known analysis tools.

To solve this issue we can use a more advanced technique to inject our binary. Among all the possibilities, the Process Doppelgänging technique seems the most suitable. It allows to inject the binary directly into the memory, without modification on the filesystem, by using NTFS transaction.



Mathieu Dolmen


  • Tamas K Lengyel
  • vpb