bool drakvuf_init(drakvuf_t *drakvuf, const char *domain, const char *rekall_profile, bool _verbose) { if ( !domain || !rekall_profile ) return 0; #ifdef DRAKVUF_DEBUG verbose = _verbose; #endif *drakvuf = g_malloc0(sizeof(struct drakvuf)); (*drakvuf)->rekall_profile = g_strdup(rekall_profile); g_mutex_init(&(*drakvuf)->vmi_lock); if ( !xen_init_interface(&(*drakvuf)->xen) ) goto err; get_dom_info((*drakvuf)->xen, domain, &(*drakvuf)->domID, &(*drakvuf)->dom_name); domid_t test = ~0; if ( (*drakvuf)->domID == test ) goto err; if (!init_vmi(*drakvuf)) goto err; return 1; err: drakvuf_close(*drakvuf); *drakvuf = NULL; return 0; }
int main(int argc, char** argv) { DIR* dir; struct dirent* ent; unsigned int i; unsigned int processed = 0; unsigned int total_processed = 0; int ret = 0; struct sigaction act; shutting_down = 0; if (argc!=15) { printf("Not enough arguments: %i!\n", argc); printf("%s <loop (0) or poll (1)> <origin domain name> <domain config> <rekall_profile> <injection pid> <watch folder> <serve folder> <output folder> <max clones> <clone_script> <config_script> <drakvuf_script> <cleanup_script> <tcpdump_script>\n", argv[0]); return 1; } /* for a clean exit */ act.sa_handler = close_handler; act.sa_flags = 0; sigemptyset(&act.sa_mask); sigaction(SIGHUP, &act, NULL); sigaction(SIGTERM, &act, NULL); sigaction(SIGINT, &act, NULL); sigaction(SIGALRM, &act, NULL); xen_init_interface(&xen); int do_poll = atoi(argv[1]); domain_name = argv[2]; domain_config = argv[3]; rekall_profile = argv[4]; injection_pid = atoi(argv[5]); in_folder = argv[6]; run_folder = argv[7]; out_folder = argv[8]; threads = atoi(argv[9]); clone_script = argv[10]; config_script = argv[11]; drakvuf_script = argv[12]; cleanup_script = argv[13]; tcpdump_script = argv[14]; if (threads > 128) { printf("Too many clones requested (max 128 is specified right now)\n"); return 1; } for (i=0; i<threads; i++) g_mutex_init(&locks[i]); pool = g_thread_pool_new(run_drakvuf, NULL, threads, TRUE, NULL); int fd = inotify_init(); int wd = inotify_add_watch(fd, in_folder, IN_CLOSE_WRITE); char buffer[sizeof(struct inotify_event) + NAME_MAX + 1]; struct pollfd pollfd = { .fd = fd, .events = POLLIN }; int threadid = -1; do { processed = 0; while (threadid<0 && !shutting_down) { sleep(1); threadid = find_thread(); } if ((dir = opendir (in_folder)) != NULL) { while ((ent = readdir (dir)) != NULL && !shutting_down) { if (!strcmp(ent->d_name, ".") || !strcmp(ent->d_name, "..")) continue; char* command; command = g_strdup_printf("mv %s/%s %s/%s", in_folder, ent->d_name, run_folder, ent->d_name); printf("** MOVING FILE FOR PROCESSING: %s\n", command); g_spawn_command_line_sync(command, NULL, NULL, NULL, NULL); g_free(command); struct start_drakvuf* _start = prepare(NULL, threadid); start(_start, ent->d_name); threadid = -1; processed++; } closedir (dir); } else { printf("Failed to open target folder!\n"); ret = 1; break; } if ( processed ) { total_processed += processed; printf("Batch processing started %u samples (total %u)\n", processed, total_processed); } if ( !processed && !shutting_down ) { if ( do_poll ) { do { int rv = poll (&pollfd, 1, 1000); if ( rv < 0 ) { printf("Error polling\n"); ret = 1; break; } if ( rv > 0 && pollfd.revents & POLLIN ) { if ( read( fd, buffer, sizeof(struct inotify_event) + NAME_MAX + 1 ) < 0 ) { printf("Error reading inotify event\n"); ret = 1; } break; } } while (!shutting_down && !ret); } else sleep(1); } } while (!shutting_down && !ret); inotify_rm_watch( fd, wd ); close(fd); g_thread_pool_free(pool, FALSE, TRUE); if ( threadid >= 0 ) g_mutex_unlock(&locks[threadid]); for (i=0; i<threads; i++) g_mutex_clear(&locks[i]); xen_free_interface(xen); printf("Finished processing %u samples\n", total_processed); return ret; }
int main(int argc, char** argv) { DIR *dir; struct dirent *ent; unsigned int i, processed = 0; int ret = 0; if(argc!=14) { printf("Not enough arguments: %i!\n", argc); printf("%s <origin domain name> <domain config> <rekall_profile> <injection pid> <watch folder> <serve folder> <output folder> <max clones> <clone_script> <config_script> <drakvuf_script> <cleanup_script> <tcpdump_script>\n", argv[0]); return 1; } xen_init_interface(&xen); domain_name = argv[1]; domain_config = argv[2]; rekall_profile = argv[3]; injection_pid = atoi(argv[4]); in_folder = argv[5]; run_folder = argv[6]; out_folder = argv[7]; threads = atoi(argv[8]); clone_script = argv[9]; config_script = argv[10]; drakvuf_script = argv[11]; cleanup_script = argv[12]; tcpdump_script = argv[13]; if (threads > 128) { printf("Too many clones requested (max 128 is specified right now)\n"); return 1; } g_mutex_init(&prepare_lock); for(i=0;i<threads;i++) g_mutex_init(&locks[i]); pool = g_thread_pool_new(run_drakvuf, NULL, threads, TRUE, NULL); char buffer[sizeof(struct inotify_event) + NAME_MAX + 1]; int fd = inotify_init(); int wd = inotify_add_watch( fd, in_folder, IN_CLOSE_WRITE ); do { processed = 0; if ((dir = opendir (in_folder)) != NULL) { while ((ent = readdir (dir)) != NULL) { if (!strcmp(ent->d_name, ".") || !strcmp(ent->d_name, "..")) continue; char *command = g_malloc0(snprintf(NULL, 0, "mv %s/%s %s/%s", in_folder, ent->d_name, run_folder, ent->d_name) + 1); sprintf(command, "mv %s/%s %s/%s", in_folder, ent->d_name, run_folder, ent->d_name); printf("** MOVING FILE FOR PROCESSING: %s\n", command); g_spawn_command_line_sync(command, NULL, NULL, NULL, NULL); g_free(command); prepare(g_strdup(ent->d_name), NULL); processed++; } closedir (dir); } else { printf("Failed to open target folder!\n"); ret = 1; break; } if (!processed) { printf("Run folder is empty, waiting for file creation\n"); int l = read( fd, buffer, sizeof(struct inotify_event) + NAME_MAX + 1 ); if ( l <= 0 ) { ret = 1; break; } } } while(1); inotify_rm_watch( fd, wd ); close(fd); g_thread_pool_free(pool, FALSE, TRUE); g_mutex_clear(&prepare_lock); for(i=0;i<threads;i++) g_mutex_clear(&locks[i]); xen_free_interface(xen); printf("Finished processing this batch\n"); return ret; }