static event_response_t file_name_cb(drakvuf_t drakvuf, drakvuf_trap_info_t *info) { vmi_instance_t vmi = drakvuf_lock_and_get_vmi(drakvuf); struct file_watch *watch = (struct file_watch*)info->trap->data; filetracer *f = watch->f; if (info->trap_pa == watch->file_name_buffer) { addr_t file_name = 0; uint16_t length = 0; vmi_read_addr_pa(vmi, watch->file_name_buffer, &file_name); vmi_read_16_pa(vmi, watch->file_name_length, &length); //printf("File name @ 0x%lx. Length: %u\n", file_name, length); if (file_name && length > 0 && length < VMI_PS_4KB) { char *procname = drakvuf_get_current_process_name(drakvuf, info->vcpu, info->regs); unicode_string_t str = { .contents = NULL }; str.length = length; str.encoding = "UTF-16"; str.contents = (unsigned char *)g_malloc0(length); vmi_read_va(vmi, file_name, 0, str.contents, length); unicode_string_t str2 = { .contents = NULL }; status_t rc = vmi_convert_str_encoding(&str, &str2, "UTF-8"); if (VMI_SUCCESS == rc) { switch(f->format) { case OUTPUT_CSV: printf("filetracer,%" PRIu32 ",0x%" PRIx64 ",%s,%s\n", info->vcpu, info->regs->cr3, procname, str2.contents); break; default: case OUTPUT_DEFAULT: printf("[FILETRACER] VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",%s %s\n", info->vcpu, info->regs->cr3, procname, str2.contents); break; }; g_free(str2.contents); } free(str.contents); free(procname); //printf("Requesting to free writetrap @ %p\n", info->trap); info->trap->data=f; drakvuf_remove_trap(drakvuf, info->trap, free_writetrap); }
void pluginex::destroy_trap(drakvuf_t drakvuf, drakvuf_trap_t* trap) { m_params = g_slist_remove(m_params, trap); drakvuf_remove_trap(drakvuf, trap, destroy_plugin_params); }