Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Trace

The Hypervisor-based Process Monitor - built for Malware Analysis

Joe Trace is Sysinternal's Process Monitor on Steroids -
a hypervisor-based process monitor built for manual malware analysis.

Joe Trace has the following features:

  • Hypervisor-based stealthy system call tracing (VMx)
  • Tracing of processes, threads, files, registries, network,
    memory and driver system events among others
  • Customizable user-mode API tracing based on Frida
  • Extensive system wide raw data capturing like network traffic (PCAP),
    dropped files and memory dumps
  • Deep Yara integration for malware detection (live raw data scanning)
  • Extensive filtering including malware execution tracking
  • Quick searching and event highlighting
  • E-mail alerting on filter hits
  • Event exporting capabilities to different formats like CSV, XML and JSON
  • Tree-based process overview with highlighting of interesting processes

Joe Trace is designed for the following use-cases:

  • Manual and deep dynamic malware analysis
  • Long term (from days to several weeks) malware observation
  • Exploit and vulnerability analysis
  • Developing and testing Yara rules
  • Malware data capturing (PCAP, dropped files and memory dumps)
Use Joe Trace on Joe Lab the Cloud-based Malware Analysis Lab.
Joe Trace

Joe Trace Explained

Sandboxes or dynamic malware analysis systems such as Joe Sandbox are of great help, and a key tool of any CERT, CIRT, SOC or malware analysist. However, in particular cases, analysts need to do a more thorough or longer analysis of a malware sample. What tools do analysts have for this purpose? There are debuggers such as OllyDbg or WinDbg which are often detected by malware and are complex to use. There is Sysinternal's Process Monitor or Rohitab API Monitor which are great tools but are not designed to perform malware analysis and lack many important features.

Joe Trace was built to fill this gap. It is a hypervisor-based API and process monitor tool which was created for the purpose of deep dynamic malware analysis. It is a software tool which can be installed on any Windows 7 or Windows 10 machine to trace any system or user-mode API calls. It captures large amount of raw data - system wide. E.g. all created or modified files are preserved. Memory dumps are captured at various stages during the lifetime of a process. The complete network traffic is stored in a PCAP file. Analysts can also use Yara to detect malware. Joe Trace uses your Yara rules to scan all the raw data and shows you the signature results - live, while you are running the tool. Today's malware employs complex infection schemes using multiple process, LoL-bins and techniques. Joe Trace tackles this by using a built-in process tracking mechanisms and helps analysts to focus on the malware behavior at all stages of an infection. Finally, Joe Trace includes an e-mail based alert feature. This enables users to get notified during long term malware observation about new behaviors such as new C&C connections, config downloads, installation of new malware etc.


Learn more about Joe Trace

Contact Joe Security to schedule a technical presentation or get a trial.

Hypervisor-Based stealthy event tracing

Joe Trace includes a customized hypervisor which uses the latest CPU-virtualization features such as VT-x to trace system calls. A hypervisor is harder to detect by malware and makes it possible to extract more behavior.

Hypervisor-Based stealthy event tracing

Extensive system event tracing

Joe Trace traces a vast number of API and system calls, including malware related calls such as NtWriteVirtualMemory, NtSetContextThread, NtQueueAPCThread, and NtUserSetWindowsHookEx. In addition, Joe Trace captures network events, such as DNS queries and answers, and TCP connections.

Extensive system event tracing

System-wide raw data capturing

Joe Trace not only traces events, but also raw data such as all created and modified files, memory dumps of processes (various stages of the process lifetime) and full network traffic (as PCAP). Analysts can access the raw data at any time and perform further analysis.

System-wide raw data capturing

Customizable user-mode API tracing with Frida

Joe Trace features a Frida integration. Frida is the dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. Through the customizable Frida integration analysts can trace any usermode API call. Joe Trace's default Frida configuration traces major WinInet API calls, such as InternetOpen, InternetOpenUrl etc.

Customizable user-mode API tracing with Frida

Deep Yara integration for malware detection

Joe Trace features a deep Yara integration. Any raw data captured by Joe Trace is scanned with the help of Yara - including memory dumps. Analysts can use the built-in Yara signature repository of Joe Security or use their own rules for malware detection. Signature matches are shown live in the Joe Trace events overview.

Deep Yara integration for malware detection

Malware execution tracking and filtering

Tracing extensive amount of data is great but useless until you have tracking and filtering mechanisms. Joe Trace features various filters from API calls to arguments. To follow malware persisting and installation behavior it includes a malware execution tracking feature. These filters and trackers help malware analysts to focus on the important data.

Malware execution tracking and filtering

E-Mail alerts

Long term malware analysis is a big use-case of many CERTs / CIRTs / SOCs. The goal is to extract C&C connections or download of configurations and payloads which happen only after hours or days. Thanks to the e-mail alerting feature in Joe Trace analysts are notified about important events such as Yara hits. As a result they don't have to constantly watch the event overview.

E-Mail alerts

Request a Joe Trace trial

Contact Joe Security to receive a free trial for Joe Trace.

What is a process monitor?

A process monitor traces all system events of all processes on a Windows system. That includes filesystem, registry, memory activites such as created files, created registry keys, allocated memory etc.

What is Joe Trace?

Joe Trace is a process monitor using latest CPU virtualization features for event tracing.

What operating systems are supported?

Windows 7 x64 and Windows 10 x64.

Who should use Joe Trace?

- Any SOC, CERT, CIRT or malware analyst who wants to deeply analyse malware.
- Any vendors or security team developing and testing Yara signatures
- Intelligence agencies studying APT malware

I already use Sysinternal's Process Monitor - why do I need Joe Trace?

Sysinternal's process monitor is not designed for malware analysis. It does not capture dropped files, memory dumps or PCAPs. There is also no Yara integration for malware detection. Sysinternal's process monitor also does not use CPU virtualization for event tracing. As a result, it misses many events and is easily bypassed by malware. Finally Joe Trace enables to track the malware execution flow and define e-mail based alerts. These are unique features that Sysinternal's process monitor does not offer.

Can I use my own Yara rules to detect malware with Joe Trace?

Yes, your Yara rules will be used to scan all dropped files and memory dumps. Yara siganture matches are directly shown in Joe Trace.

I want to trace some specific user-mode APIs. Is this possible with Joe Trace?

Yes, through the Frida integration you can easily trace any user-mode API.

I want to perform long term malware observation. How can I get notified about new events captured by Joe Trace?

Joe Trace has an e-Mail based alert functionality. Based on the chosen filter, you get informed as soon as a Yara signature hit or another event triggers.

What is the licensing model of Joe Trace?

Per machine basis.

Can I license Joe Trace together with Joe Lab?

Yes. We also provide discounts for a combined offer.