Required DRAKVUF patch for SNIPER - How to remove this requirement ?

[ohault]

SNIPER is an accurate, robust, and transparent tracing solution for Windows APIs.

SNIPER comes in two implementation variants. One builds on DBI (dynamic binary instrumentation) and another one for CPU virtualization extensions (Intel VT-x) that ships as an extension of the DRAKVUF analysis system, relying on its invisible breakpoints for out-of-guest instrumentation*.

(*) Unfortunately, the SNIPER extension for DRAKVUF relies on a dedicated DRAKVUF patch -
patch-drakvuf-376c03d.diff

According to the roadmap of DRAKVUF, how DRAKVUF design and implementation should be enhanced to enable a future version of SNIPER that will no longer require a dedicated DRAKVUF patch ?

[tklengyel]

Patches are always welcome, consider opening a PR and working on upstreaming it

[tklengyel]

I looked at the patch briefly and it looks like a good addition. It would still need to be cleaned up and ideally split into multiple PRs but I don't see a blocker for it being upstreamed.

[dcdelia]

Hi, SNIPER co-author here. We developed it atop DRAKVUF 376c03d, which dates back to several years ago. It may be worth a look seeing if the patch and SNIPER are still functional on recent versions. For a proper integration, some of the challenges we faced back then have likely been addressed by the apimon plugin (e.g., causing page faults to force library code loading for breakpoint insertion IIRC) and general DRAKVUF development, so some choices could be done better now. We are no longer developing SNIPER but would be happy to provide some insights and materials if someone is interested in trying this.

[ohault]

Hi @dcdelia, thank you very much for your answer.

[ohault]

Hi @tklengyel, if one would like to contribute by working on a PR in replacement of the SNIPER patch for DRAKVUF, could you share some insights to start with about a description of what should be done and how?