I am using VTune to analyze malware after which my system gets corrupted and becomes unrecoverable which means I can't access the analysis data. Is there a way to configure VTune on a Windows target so that the results of the analysis are sent to a remote syslog server or just another computer via SSH or something?
Unfortunately VTune Amplifier doesn't support Windows as target system. Do the result accessible after the system reboot? You may be able to open the result if the trace files not corrupted.
If the result doesn't accessible after reboot due to system configuration. (Like tmpfs on Linux) Try to set result directory to another drive - share or flash drive.
As I understand you work with virtual machine with Windows. Am I right?
We're analyzing ransomware specifically...any lettered drive in Windows is potentially a target for encryption. I don't mind running VTune on the Windows machine (we recover using DeepFreeze), but what I want it to do is take VTune's analysis data and send it to another remote machine instead of saving it on the local Windows machine. After the ransomware runs, the data will be encrypted, and when I reboot, the data won't exist.
You have very interesting usecase... Do you tune performance of ransomware encryption app? You may not answer. =)
Is it possible to write a simple script which will start VTune Amplifier collection and send the result to another host? Do you have all the files encrypted right after the collection is over or after some time?
We're looking to see if there are any unique CPU performance metrics that are early indicators of ransomware running on the system. The idea is to detect ransomware in its earliest stages after executing, but for thoroughness, we need measure the metrics of the entire process as well. We're not tuning the performance of the ransomware apps at all. We're simply running known samples as they would be run in the wild and looking for similarities in CPU metrics between different ransomware families in search of a viable detection method. To do this, I need access to the analysis data after the ransomware process completes which is why I'd prefer to just send the data remotely as it is taken as opposed to saving it to a file and then sending the file (likely encrypted at that time) to a remote server. There's no telling when the log file would get encrypted during the process either as the directory traversal method changes from sample to sample.
I see you are working on interesting problem. But unfortunately VTune Amplifier 2018 not support with workflow.
Also ssh collection which implemented for Linux is also out of your interest. It run the collection on target and after the collection send files stored on target to the host system. So, the files may be already encrypted...
May be you are able to run the collection by different users? So as Administrator start the System Wide collection and as the common user the application. So the application will be unable to change not permitted files.
I considered that, but I don't know how to filter out any of the system noise in the resulting data. Determining the delta isn't as easy as just looking at how the data changed when the ransomware process began. I need data points specific to the ransomware, and if the CPU has non-ransomware services running on other cores, it throws the accuracy of our data off. Not to mention, ransomware generally locks your desktop making everything inaccessible after the encryption process completes.