int main(int argc, char** argv)
{
if (argc < 5) {
printf("Usage: ./%s <rekall profile> <domain> <pid> <app>\n", argv[0]);
return 1;
}
int rc = 0;
const char *rekall_profile = argv[1];
const char *domain = argv[2];
vmi_pid_t pid = atoi(argv[3]);
char *app = argv[4];
bool verbose = 0;
#ifdef DRAKVUF_DEBUG
verbose = 1;
#endif
/* for a clean exit */
struct sigaction act;
act.sa_handler = close_handler;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, &act, NULL);
sigaction(SIGINT, &act, NULL);
sigaction(SIGALRM, &act, NULL);
drakvuf_init(&drakvuf, domain, rekall_profile, verbose);
drakvuf_pause(drakvuf);
if (pid > 0 && app) {
printf("Injector starting %s through PID %u\n", app, pid);
rc = drakvuf_inject_cmd(drakvuf, pid, app);
if (!rc) {
printf("Process startup failed\n");
} else {
printf("Process startup success\n");
}
}
drakvuf_resume(drakvuf);
drakvuf_close(drakvuf);
return rc;
}
int main(int argc, char** argv)
{
int rc = 0;
vmi_pid_t injection_pid = 0;
uint32_t injection_thread = 0;
char c;
char* rekall_profile = NULL;
char* domain = NULL;
char* inject_file = NULL;
char* inject_cwd = NULL;
bool injection_global_search = false;
char* binary_path = NULL;
char* target_process = NULL;
injection_method_t injection_method = INJECT_METHOD_CREATEPROC;
bool verbose = 0;
bool libvmi_conf = false;
if (argc < 4)
{
print_help();
return 1;
}
while ((c = getopt (argc, argv, "r:d:i:I:e:m:B:P:vlg")) != -1)
switch (c)
{
case 'r':
rekall_profile = optarg;
break;
case 'd':
domain = optarg;
break;
case 'i':
injection_pid = atoi(optarg);
break;
case 'I':
injection_thread = atoi(optarg);
break;
case 'e':
inject_file = optarg;
break;
case 'c':
inject_cwd = optarg;
break;
case 'm':
if (!strncmp(optarg,"shellexec",9))
injection_method = INJECT_METHOD_SHELLEXEC;
else if (!strncmp(optarg,"createproc",10))
injection_method = INJECT_METHOD_CREATEPROC;
else if (!strncmp(optarg,"shellcode",9))
injection_method = INJECT_METHOD_SHELLCODE;
else if (!strncmp(optarg,"doppelganging",13))
injection_method = INJECT_METHOD_DOPP;
else
{
fprintf(stderr, "Unrecognized injection method\n");
return rc;
}
break;
case 'g':
injection_global_search = true;
break;
case 'B':
binary_path = optarg;
break;
case 'P':
target_process = optarg;
break;
#ifdef DRAKVUF_DEBUG
case 'v':
verbose = 1;
break;
#endif
case 'l':
libvmi_conf = true;
break;
default:
fprintf(stderr, "Unrecognized option: %c\n", c);
return rc;
}
if ( !rekall_profile || !domain || !injection_pid || !inject_file )
{
print_help();
return 1;
}
if ( INJECT_METHOD_DOPP == injection_method && (!binary_path || !target_process) )
{
print_help();
return 1;
}
/* for a clean exit */
struct sigaction act;
act.sa_handler = close_handler;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, &act, NULL);
sigaction(SIGINT, &act, NULL);
sigaction(SIGALRM, &act, NULL);
if (!drakvuf_init(&drakvuf, domain, rekall_profile, NULL, verbose, libvmi_conf))
{
fprintf(stderr, "Failed to initialize on domain %s\n", domain);
return 1;
}
printf("Injector starting %s through PID %u TID: %u\n", inject_file, injection_pid, injection_thread);
int injection_result = injector_start_app(
drakvuf,
injection_pid,
injection_thread,
inject_file,
inject_cwd,
injection_method,
OUTPUT_DEFAULT,
binary_path,
target_process,
false,
NULL,
injection_global_search);
if (injection_result)
printf("Process startup success\n");
else
{
printf("Process startup failed\n");
rc = 1;
}
drakvuf_resume(drakvuf);
drakvuf_close(drakvuf, 0);
return rc;
}