static void my_loadmainmodule_notify(VMI_Callback_Params * params) {
char *name = params->cp.name;
if (procname_is_set()) {
if (procname_match(name)) {
do_tracing_internal(params->cp.pid, tracefile);
trackproc_start(params->cp.pid);
DECAF_printf( "Tracing %s\n", procname_get());
procname_clear();
}
}
}
static void tracing_proc_start(procmod_Callback_Params * params)
{
/* If tracingbyname, check if this is the process to trace.
If so, start the trace */
if (procname_is_set()) {
if (procname_match(params->lmm.name)) {
uint32_t pid = params->lmm.pid;
// Start tracing
do_tracing_internal(pid, tracefile);
monitor_printf(default_mon, "Tracing %s\n", procname_get());
// No need to keep monitoring process name
procname_clear();
}
}
/* If tracing child and first child
then trace child instead of parent and enable logging */
if (tracing_child && trackproc_found_child()) {
uint32_t curr_pid = trackproc_get_current_pid();
if ((trackproc_find_pid(curr_pid) != -1) &&
(curr_pid != trackproc_get_root_pid()))
{
uint32_t child_cr3 = find_cr3(curr_pid);
if (0 == child_cr3) {
monitor_printf(default_mon,
"CR3 for child process %d not found\n",curr_pid);
}
else {
decaf_plugin->monitored_cr3 = child_cr3;
tracepid = curr_pid;
tracecr3 = child_cr3;
monitor_printf(default_mon,
"Now tracing child process. PID: %d CR3: 0x%08x\n",
curr_pid, child_cr3);
skip_trace_write = 0;
tracing_child = 0;
}
}
}
}
