void set_trace_kernel(Monitor *mon, const QDict *qdict) {
const char *filename = qdict_get_str(qdict, "filepath");
should_trace_all_kernel = 1;
do_tracing_internal(-1, filename);
}
void do_tracing(Monitor *mon, const QDict *qdict)
{
uint32_t pid = qdict_get_int(qdict, "pid");
const char *filename = qdict_get_str(qdict, "filepath");
do_tracing_internal(pid, filename);
}
static void my_loadmainmodule_notify(VMI_Callback_Params * params) {
char *name = params->cp.name;
if (procname_is_set()) {
if (procname_match(name)) {
do_tracing_internal(params->cp.pid, tracefile);
trackproc_start(params->cp.pid);
DECAF_printf( "Tracing %s\n", procname_get());
procname_clear();
}
}
}
void do_tracing(Monitor *mon, const QDict *qdict)
{
uint32_t pid = qdict_get_int(qdict, "pid");
const char *filename = qdict_get_str(qdict, "filepath");
char proc_name[512];
uint32_t cr3;
if( VMI_find_process_by_pid_c(pid, proc_name, 512, &cr3)!= -1){
procname_set(proc_name);
strncpy(tracefile, filename, 256);
do_tracing_internal(pid, filename);
trackproc_start(pid);
}
else
DECAF_printf("Unable to find process %d \n", pid);
}
static void do_tracing_by_name_internal(const char *progname,
const char *filename) {
/* If process already running, start tracing */
uint32_t pid = VMI_find_pid_by_name_c(progname);
uint32_t minus_one = (uint32_t)(-1);
if (pid != minus_one) {
procname_set(progname);
strncpy(tracefile, filename, 256);
do_tracing_internal(pid, filename);
trackproc_start(pid);
return;
}
/* Otherwise, start monitoring for process start */
procname_set(progname);
strncpy(tracefile, filename, 256);
DECAF_printf( "Waiting for process %s to start\n", progname);
}
static void tracing_proc_start(procmod_Callback_Params * params)
{
/* If tracingbyname, check if this is the process to trace.
If so, start the trace */
if (procname_is_set()) {
if (procname_match(params->lmm.name)) {
uint32_t pid = params->lmm.pid;
// Start tracing
do_tracing_internal(pid, tracefile);
monitor_printf(default_mon, "Tracing %s\n", procname_get());
// No need to keep monitoring process name
procname_clear();
}
}
/* If tracing child and first child
then trace child instead of parent and enable logging */
if (tracing_child && trackproc_found_child()) {
uint32_t curr_pid = trackproc_get_current_pid();
if ((trackproc_find_pid(curr_pid) != -1) &&
(curr_pid != trackproc_get_root_pid()))
{
uint32_t child_cr3 = find_cr3(curr_pid);
if (0 == child_cr3) {
monitor_printf(default_mon,
"CR3 for child process %d not found\n",curr_pid);
}
else {
decaf_plugin->monitored_cr3 = child_cr3;
tracepid = curr_pid;
tracecr3 = child_cr3;
monitor_printf(default_mon,
"Now tracing child process. PID: %d CR3: 0x%08x\n",
curr_pid, child_cr3);
skip_trace_write = 0;
tracing_child = 0;
}
}
}
}
static void do_tracing_by_name_internal(const char *progname,
const char *filename)
{
/* If process already running, start tracing */
uint32_t pid = find_pid_by_name(progname);
uint32_t minus_one = (uint32_t)(-1);
if (pid != minus_one) {
do_tracing_internal(pid,filename);
}
else {
/* Otherwise, start monitoring for process start */
procname_set(progname);
strncpy(tracefile, filename, 256);
monitor_printf (default_mon, "Waiting for process %s to start\n",
progname);
}
/* Print configuration variables */
//print_conf_vars();
}
/* Param format
<pid>:<traceFilename>:<pidToSignal>:<processName>
*/
void tracing_after_loadvm(const char*param)
{
char buf[256];
strncpy(buf, param, sizeof(buf) - 1);
buf[255] = '\0';
int pid_to_signal = 0;
char *pid_str = strtok(buf, ":");
if (!pid_str)
return;
char *trace_filename = strtok(0, ":");
if (!trace_filename)
return;
char *pid_to_signal_str = strtok(0, ":");
char *process_name = strtok(0, ":");
char *end = pid_str;
int pid = (int) strtol (pid_str, &end, 10);
if (end == pid_str) {
pid = -1;
}
/* If no PID or Process_name, return */
if ((process_name == NULL) && (pid == -1)) {
monitor_printf(default_mon, "PARAM: %s\n", param);
monitor_printf(default_mon, "START: %p END: %p\n", pid_str, end);
monitor_printf(default_mon, "No PID or Process_name provided\n");
return;
}
if (pid_to_signal_str) {
end = pid_to_signal_str;
pid_to_signal = (int) strtol (pid_to_signal_str, &end, 10);
if (end == pid_to_signal_str) {
pid_to_signal = 0;
}
}
monitor_printf (default_mon,
"PID: %d PID2SIGNAL: %d PROCESS_NAME: %s\n",
pid, pid_to_signal, process_name);
#ifdef TAINT_ENABLED
/* Taint the network */
do_taint_nic_internal(1);
/* Filter traffic (read from ini configuration file) */
print_nic_filter();
#endif // #ifdef TAINT_ENABLED
/* OS dependant initialization */
if (0 == taskaddr)
init_kernel_offsets();
if (0xC0000000 == kernel_mem_start) /* linux */
update_proc(0);
/* Load hooks */
do_load_hooks_internal("","");
/* Start trace */
if (process_name == NULL)
do_tracing_internal(pid, trace_filename);
else
do_tracing_by_name_internal(process_name,trace_filename);
/* Send signal to notify that trace is ready */
//if (pid_to_signal != 0) kill(pid_to_signal,SIGUSR1);
int pipe_fd = open("/tmp/tfd.pipe",O_WRONLY);
size_t num_written = write(pipe_fd,"OK",2);
if (num_written != 2) {
monitor_printf (default_mon, "Error writing to /tmp/tfd.pipe\n");
}
close(pipe_fd);
}
