I am looking to simulate ransomware on gem5 to basically perform microarchitectural analysis. I want to simulate an environment where ransomware looks for files on a victim's computer and then encrypts them. I would also like to simulate screen-locker ransomware if possible but file encryption is my top priority. I have looked into other simulation environments like Cuckoo Sandbox but I am new to the field of ransomware and I am not sure if these types of sandbox software can help me analyze instruction patterns, memory access patterns, tweak the scheduler, etc. So, in summary, I am basically looking for ways to analyze the microarchitectural impact of ransomware. Any help is appreciated. Thanks.
Asked
Active
Viewed 84 times
0
-
What's stopping you from running ransomware inside a gem5 full-system emulation, under a Linux kernel in that virtual system? Or inside a QEMU+KVM VM, possibly using `perf` on the host if that lets you profile stuff the KVM guest is doing? – Peter Cordes Jun 03 '21 at 21:12
-
Hey, @PeterCordes thanks for your suggestion. I was actually unaware that it is possible to perform FS emulation using a Linux kernel. Is it possible to use a windows kernel in gem5 with the host kernel being Linux? Are there any videos or text guides you can suggest for me to learn how to run malware (or ransomware) in gem5 FS emulation? And regarding using perf I do not think that is the way for me. Since I want to track the kernel's I/O request packets sent to the processor used inside the gem5 VM I am not sure if perf can let me do that. – Preet Derasari Jun 05 '21 at 22:51
-
no idea, I've never actually used gem5, I just know it has a full-system emulation mode. – Peter Cordes Jun 06 '21 at 00:14