static void
cb_enable_plugin(GtkCellRendererToggle *cell, gchar *path_str, gpointer data)
{
GtkTreeModel *model = (GtkTreeModel *)data;
GtkTreeIter iter;
GtkTreePath *path;
GkrellmMonitor *mon;
gboolean enable;
path = gtk_tree_path_new_from_string(path_str);
gtk_tree_model_get_iter(model, &iter, path);
gtk_tree_path_free(path);
gtk_tree_model_get(model, &iter,
ENABLE_COLUMN, &enable,
MON_COLUMN, &mon,
-1);
if (mon->privat->from_command_line)
enable = TRUE;
else
enable = !enable;
gtk_list_store_set(GTK_LIST_STORE(model), &iter,
ENABLE_COLUMN, enable, -1);
if (enable)
enable_plugin(mon);
else
disable_plugin(mon);
place_button_sensitivity(mon, enable);
}
static void
enable_or_disable_plugin (GtkToggleButton *button,
const gchar *name)
{
if (plugin_enabled (name))
disable_plugin (name);
else
enable_plugin (name);
}
int main(int argc, char** argv) {
int c, i, rc = 0, timeout = 0;
char *inject_cmd = NULL;
char *domain = NULL;
char *rekall_profile = NULL;
char *dump_folder = NULL;
vmi_pid_t injection_pid = -1;
uint32_t injection_thread = 0;
struct sigaction act;
GThread *timeout_thread = NULL;
output_format_t output = OUTPUT_DEFAULT;
bool plugin_list[] = {[0 ... __DRAKVUF_PLUGIN_LIST_MAX-1] = 1};
bool verbose = 0;
fprintf(stderr, "%s v%s\n", PACKAGE_NAME, PACKAGE_VERSION);
if ( __DRAKVUF_PLUGIN_LIST_MAX == 0 ) {
fprintf(stderr, "No plugins have been enabled, nothing to do!\n");
return rc;
}
if (argc < 4) {
fprintf(stderr, "Required input:\n"
"\t -r <rekall profile> The Rekall profile of the Windows kernel\n"
"\t -d <domain ID or name> The domain's ID or name\n"
"Optional inputs:\n"
"\t -i <injection pid> The PID of the process to hijack for injection\n"
"\t -I <injection thread> The ThreadID in the process to hijack for injection (requires -i)\n"
"\t -e <inject_exe> The executable to start with injection\n"
"\t -t <timeout> Timeout (in seconds)\n"
"\t -D <file dump folder> Folder where extracted files should be stored at\n"
"\t -o <format> Output format (default or csv)\n"
"\t -x <plugin> Don't activate the specified plugin\n"
#ifdef DRAKVUF_DEBUG
"\t -v Turn on verbose (debug) output\n"
#endif
);
return rc;
}
while ((c = getopt (argc, argv, "r:d:i:I:e:t:D:o:vx:")) != -1)
switch (c)
{
case 'r':
rekall_profile = optarg;
break;
case 'd':
domain = optarg;
break;
case 'i':
injection_pid = atoi(optarg);
break;
case 'I':
injection_thread = atoi(optarg);
break;
case 'e':
inject_cmd = optarg;
break;
case 't':
timeout = atoi(optarg);
break;
case 'D':
dump_folder = optarg;
break;
case 'o':
if(!strncmp(optarg,"csv",3))
output = OUTPUT_CSV;
break;
case 'x':
disable_plugin(optarg, plugin_list);
break;
#ifdef DRAKVUF_DEBUG
case 'v':
verbose = 1;
break;
#endif
default:
fprintf(stderr, "Unrecognized option: %c\n", c);
return rc;
}
if (!domain) {
fprintf(stderr, "No domain name specified (-d)!\n");
return rc;
}
if (!rekall_profile) {
fprintf(stderr, "No Rekall profile specified (-r)!\n");
return rc;
}
try {
drakvuf = new drakvuf_c(domain, rekall_profile, output, timeout, verbose);
} catch(int e) {
fprintf(stderr, "Failed to initialize DRAKVUF\n");
return rc;
}
/* for a clean exit */
act.sa_handler = close_handler;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, &act, NULL);
sigaction(SIGINT, &act, NULL);
sigaction(SIGALRM, &act, NULL);
if ( injection_pid > 0 && inject_cmd ) {
rc = drakvuf->inject_cmd(injection_pid, injection_thread, inject_cmd);
if (!rc)
goto exit;
}
rc = drakvuf->start_plugins(plugin_list, dump_folder);
if (!rc)
goto exit;
/* Start the event listener */
drakvuf->loop();
rc = 1;
exit:
drakvuf->pause();
delete drakvuf;
return rc;
}
