uint32_t trackproc_get_parent_pid(uint32_t uiPID) { int iPos = trackproc_find_pid(uiPID); if (iPos == -1) return -1; return (l_arTrackProcInfo[l_arTrackProcInfo[iPos].m_iParent].m_uiPID); }
int trackproc_add_new_handle(uint32_t uiHandle, uint32_t uiParentPID) { /* Check that maximum number of children is not exceeded */ if (l_iNumProc >= MAX_CHILDPROC) { monitor_printf(default_mon, "Maximum number of child processes exceeded, ignoring\n"); return -1; } /* Check if the handle is already in the array */ if (trackproc_find_handle(uiHandle) >= 0) { return -2; } l_arTrackProcInfo[l_iNumProc].m_uiHandle = uiHandle; l_arTrackProcInfo[l_iNumProc].m_uiPID = -1; int iParentIndex = trackproc_find_pid(uiParentPID); /* Check that parent process is in array */ if (iParentIndex < 0) { return -3; } l_arTrackProcInfo[l_iNumProc].m_iParent = iParentIndex; /* Increase number of processes being tracked */ l_iNumProc++; return 0; }
static void tracing_proc_start(procmod_Callback_Params * params) { /* If tracingbyname, check if this is the process to trace. If so, start the trace */ if (procname_is_set()) { if (procname_match(params->lmm.name)) { uint32_t pid = params->lmm.pid; // Start tracing do_tracing_internal(pid, tracefile); monitor_printf(default_mon, "Tracing %s\n", procname_get()); // No need to keep monitoring process name procname_clear(); } } /* If tracing child and first child then trace child instead of parent and enable logging */ if (tracing_child && trackproc_found_child()) { uint32_t curr_pid = trackproc_get_current_pid(); if ((trackproc_find_pid(curr_pid) != -1) && (curr_pid != trackproc_get_root_pid())) { uint32_t child_cr3 = find_cr3(curr_pid); if (0 == child_cr3) { monitor_printf(default_mon, "CR3 for child process %d not found\n",curr_pid); } else { decaf_plugin->monitored_cr3 = child_cr3; tracepid = curr_pid; tracecr3 = child_cr3; monitor_printf(default_mon, "Now tracing child process. PID: %d CR3: 0x%08x\n", curr_pid, child_cr3); skip_trace_write = 0; tracing_child = 0; } } } }