static void my_loadmainmodule_notify(VMI_Callback_Params * params) {
char *name = params->cp.name;
if (procname_is_set()) {
if (procname_match(name)) {
do_tracing_internal(params->cp.pid, tracefile);
trackproc_start(params->cp.pid);
DECAF_printf( "Tracing %s\n", procname_get());
procname_clear();
}
}
}
void do_tracing(Monitor *mon, const QDict *qdict)
{
uint32_t pid = qdict_get_int(qdict, "pid");
const char *filename = qdict_get_str(qdict, "filepath");
char proc_name[512];
uint32_t cr3;
if( VMI_find_process_by_pid_c(pid, proc_name, 512, &cr3)!= -1){
procname_set(proc_name);
strncpy(tracefile, filename, 256);
do_tracing_internal(pid, filename);
trackproc_start(pid);
}
else
DECAF_printf("Unable to find process %d \n", pid);
}
static void do_tracing_by_name_internal(const char *progname,
const char *filename) {
/* If process already running, start tracing */
uint32_t pid = VMI_find_pid_by_name_c(progname);
uint32_t minus_one = (uint32_t)(-1);
if (pid != minus_one) {
procname_set(progname);
strncpy(tracefile, filename, 256);
do_tracing_internal(pid, filename);
trackproc_start(pid);
return;
}
/* Otherwise, start monitoring for process start */
procname_set(progname);
strncpy(tracefile, filename, 256);
DECAF_printf( "Waiting for process %s to start\n", progname);
}
int tracing_start(uint32_t pid, const char *filename)
{
/* Copy trace filename to global variable */
strncpy(tracename, filename, 128);
/* Set name for functions file */
snprintf(functionsname, 128, "%s.functions", filename);
/* If previous trace did not close properly, close files now */
if (tracelog)
close_trace(tracelog);
if (tracenetlog)
fclose(tracenetlog);
/* Initialize trace file */
tracelog = fopen(filename, "w");
if (0 == tracelog) {
perror("tracing_start");
tracepid = 0;
tracecr3 = 0;
return -1;
}
setvbuf(tracelog, filebuf, _IOFBF, FILEBUFSIZE);
/* Initialize netlog file */
char netname[128];
snprintf(netname, 128, "%s.netlog", filename);
tracenetlog = fopen(netname, "w");
if (0 == tracenetlog) {
perror("tracing_start");
tracepid = 0;
tracecr3 = 0;
return -1;
}
else {
fprintf(tracenetlog, "Flow Off Data\n");
fflush(tracenetlog);
}
/* Set PID and CR3 of the process to be traced */
tracecr3 = find_cr3(pid);
if (0 == tracecr3) {
monitor_printf(default_mon,
"CR3 for PID %d not found. Tracing all processes!\n",pid);
tracepid = -1;
}
else {
tracepid = pid;
}
monitor_printf(default_mon, "PID: %d CR3: 0x%08x\n", tracepid, tracecr3);
/* Initialize disassembler */
xed2_init();
/* Clear trace statistics */
clear_trace_stats();
/* Clear skip taint flags */
init_st();
/* Initialize hooks only for this process */
decaf_plugin->monitored_cr3 = tracecr3;
/* Get system start usage */
if (getrusage(RUSAGE_SELF, &startUsage) != 0)
monitor_printf (default_mon, "Could not get start usage\n");
// If tracing child, load process tracking hooks
if (tracing_child) {
trackproc_start(pid);
load_hooks_in_plugin(&tracecr3, "group_process.so", hook_dirname);
}
/* Register block and instruction callbacks */
block_begin_cb_handle =
DECAF_register_callback(DECAF_BLOCK_BEGIN_CB, tracing_block_begin, NULL);
insn_begin_cb_handle =
DECAF_register_callback(DECAF_INSN_BEGIN_CB,
tracing_insn_begin, &should_monitor);
insn_end_cb_handle =
DECAF_register_callback(DECAF_INSN_END_CB,
tracing_insn_end, &should_monitor);
return 0;
}
