static void tracing_cleanup(void) {
DECAF_stop_vm();
if (removeproc_handle != DECAF_NULL_HANDLE)
VMI_unregister_callback(VMI_REMOVEPROC_CB, removeproc_handle);
if (loadmainmodule_handle != DECAF_NULL_HANDLE)
VMI_unregister_callback(VMI_CREATEPROC_CB, loadmainmodule_handle);
if (loadmodule_handle != DECAF_NULL_HANDLE)
VMI_unregister_callback(VMI_LOADMODULE_CB, loadmodule_handle);
if (block_begin_cb_handle)
DECAF_unregister_callback(DECAF_BLOCK_BEGIN_CB, block_begin_cb_handle);
if (insn_begin_cb_handle)
DECAF_unregister_callback(DECAF_INSN_BEGIN_CB, insn_begin_cb_handle);
if (insn_end_cb_handle)
DECAF_unregister_callback(DECAF_INSN_END_CB, insn_end_cb_handle);
if (nic_rec_cb_handle)
DECAF_unregister_callback(DECAF_NIC_REC_CB, nic_rec_cb_handle);
if (nic_send_cb_handle)
DECAF_unregister_callback(DECAF_NIC_SEND_CB, nic_send_cb_handle);
if (keystroke_cb_handle)
DECAF_unregister_callback(DECAF_KEYSTROKE_CB, keystroke_cb_handle);
if (check_eip_handle)
DECAF_unregister_callback(DECAF_EIP_CHECK_CB, check_eip_handle);
DECAF_start_vm();
}
static void tracing_cleanup(void)
{
/* If tracing is on, stop it */
tracing_stop();
/* Remove procmod handles */
if (removeproc_handle != DECAF_NULL_HANDLE) {
procmod_unregister_callback(PROCMOD_REMOVEPROC_CB, removeproc_handle);
removeproc_handle = DECAF_NULL_HANDLE;
}
if (loadmainmodule_handle != DECAF_NULL_HANDLE) {
procmod_unregister_callback(PROCMOD_LOADMAINMODULE_CB,
loadmainmodule_handle);
loadmainmodule_handle = DECAF_NULL_HANDLE;
}
/* Remove DECAF callback handles */
DECAF_stop_vm();
if (block_begin_cb_handle != DECAF_NULL_HANDLE) {
DECAF_unregister_callback(DECAF_BLOCK_BEGIN_CB, block_begin_cb_handle);
block_begin_cb_handle = DECAF_NULL_HANDLE;
}
if (insn_begin_cb_handle != DECAF_NULL_HANDLE) {
DECAF_unregister_callback(DECAF_INSN_BEGIN_CB, insn_begin_cb_handle);
insn_begin_cb_handle = DECAF_NULL_HANDLE;
}
if (insn_end_cb_handle != DECAF_NULL_HANDLE) {
DECAF_unregister_callback(DECAF_INSN_END_CB, insn_end_cb_handle);
insn_end_cb_handle = DECAF_NULL_HANDLE;
}
if (nic_rec_cb_handle != DECAF_NULL_HANDLE) {
DECAF_unregister_callback(DECAF_NIC_REC_CB, nic_rec_cb_handle);
nic_rec_cb_handle = DECAF_NULL_HANDLE;
}
if (nic_send_cb_handle != DECAF_NULL_HANDLE) {
DECAF_unregister_callback(DECAF_NIC_SEND_CB, nic_send_cb_handle);
nic_send_cb_handle = DECAF_NULL_HANDLE;
}
if (keystroke_cb_handle != DECAF_NULL_HANDLE) {
DECAF_unregister_callback(DECAF_KEYSTROKE_CB, keystroke_cb_handle);
keystroke_cb_handle = DECAF_NULL_HANDLE;
}
DECAF_start_vm();
/* Cleanup Sleuthkit */
// No Sleuthkit for now
// tracing_bdrv_cleanup();
/* Unload hooks */
unload_hook_plugins();
}
plugin_interface_t * init_plugin() {
if (0x80000000 == VMI_guest_kernel_base)
comparestring = strcasecmp;
else
comparestring = strcmp;
tracing_interface.plugin_cleanup = tracing_cleanup;
tracing_interface.mon_cmds = tracing_term_cmds;
tracing_interface.info_cmds = tracing_info_cmds;
//for now, receive block begin callback globally
DECAF_stop_vm();
// register for insn begin/end
insn_begin_cb_handle = DECAF_register_callback(DECAF_INSN_BEGIN_CB,
tracing_insn_begin, &should_monitor);
insn_end_cb_handle = DECAF_register_callback(DECAF_INSN_END_CB,
tracing_insn_end, &should_monitor);
#ifdef CONFIG_TCG_TAINT
// //register taint nic callback
nic_rec_cb_handle = DECAF_register_callback(DECAF_NIC_REC_CB,
tracing_nic_recv, NULL);
nic_send_cb_handle = DECAF_register_callback(DECAF_NIC_SEND_CB,
tracing_nic_send, NULL);
printf("register nic callback \n");
//check EIP tainted
check_eip_handle = DECAF_register_callback(DECAF_EIP_CHECK_CB, check_eip, NULL);
printf("register eip check callback\n");
#endif /*CONFIG_TCG_TAINT*/
DECAF_start_vm();
removeproc_handle = VMI_register_callback(VMI_REMOVEPROC_CB,
my_removeproc_notify, NULL);
loadmainmodule_handle = VMI_register_callback(VMI_CREATEPROC_CB,
my_loadmainmodule_notify, NULL);
loadmodule_handle = VMI_register_callback(VMI_LOADMODULE_CB,
my_loadmodule_notify, NULL);
tracing_init();
return &tracing_interface;
}
/* Plugin initialization */
plugin_interface_t * init_plugin()
{
/* Select string comparison function */
if (0x80000000 == kernel_mem_start)
comparestring = strcasecmp;
else
comparestring = strcmp;
#ifdef TAINT_ENABLED
taint_config->taint_record_size = sizeof(taint_record_t);
taint_config->taint_propagate = tracing_taint_propagate;
taint_config->taint_disk = tracing_taint_disk;
taint_config->read_disk_taint = tracing_read_disk_taint;
taint_config->eip_tainted = taintedeip_detection;
#endif // #ifdef TAINT_ENABLED
/* Set interface fields */
tracing_interface.plugin_cleanup = tracing_cleanup;
tracing_interface.mon_cmds = tracing_term_cmds;
tracing_interface.info_cmds = tracing_info_cmds;
tracing_interface.after_loadvm = tracing_after_loadvm;
// No Sleuthkit for now
//tracing_interface.bdrv_open = tracing_bdrv_open;
#if 0
tracing_interface.cjmp = tracing_cjmp;
#endif
/* Register callbacks */
DECAF_stop_vm();
nic_rec_cb_handle=
DECAF_register_callback(DECAF_NIC_REC_CB, tracing_nic_recv, NULL);
nic_send_cb_handle=
DECAF_register_callback(DECAF_NIC_SEND_CB, tracing_nic_send, NULL);
DECAF_start_vm();
// Insn begin and end callback are registered when tracing starts
block_begin_cb_handle = DECAF_NULL_HANDLE;
insn_begin_cb_handle = DECAF_NULL_HANDLE;
insn_end_cb_handle = DECAF_NULL_HANDLE;
// Keystroke handler will be registered later if needed
keystroke_cb_handle = DECAF_NULL_HANDLE;
removeproc_handle =
procmod_register_callback(PROCMOD_REMOVEPROC_CB,
procexit_detection, NULL);
loadmainmodule_handle =
procmod_register_callback(PROCMOD_LOADMAINMODULE_CB,
tracing_proc_start, NULL);
/* Initialize tracing */
tracing_init();
/* Return plugin interace */
return &tracing_interface;
}
