static void my_loadmainmodule_notify(VMI_Callback_Params * params) { char *name = params->cp.name; if (procname_is_set()) { if (procname_match(name)) { do_tracing_internal(params->cp.pid, tracefile); trackproc_start(params->cp.pid); DECAF_printf( "Tracing %s\n", procname_get()); procname_clear(); } } }
void do_tracing(Monitor *mon, const QDict *qdict) { uint32_t pid = qdict_get_int(qdict, "pid"); const char *filename = qdict_get_str(qdict, "filepath"); char proc_name[512]; uint32_t cr3; if( VMI_find_process_by_pid_c(pid, proc_name, 512, &cr3)!= -1){ procname_set(proc_name); strncpy(tracefile, filename, 256); do_tracing_internal(pid, filename); trackproc_start(pid); } else DECAF_printf("Unable to find process %d \n", pid); }
static void do_tracing_by_name_internal(const char *progname, const char *filename) { /* If process already running, start tracing */ uint32_t pid = VMI_find_pid_by_name_c(progname); uint32_t minus_one = (uint32_t)(-1); if (pid != minus_one) { procname_set(progname); strncpy(tracefile, filename, 256); do_tracing_internal(pid, filename); trackproc_start(pid); return; } /* Otherwise, start monitoring for process start */ procname_set(progname); strncpy(tracefile, filename, 256); DECAF_printf( "Waiting for process %s to start\n", progname); }
int tracing_start(uint32_t pid, const char *filename) { /* Copy trace filename to global variable */ strncpy(tracename, filename, 128); /* Set name for functions file */ snprintf(functionsname, 128, "%s.functions", filename); /* If previous trace did not close properly, close files now */ if (tracelog) close_trace(tracelog); if (tracenetlog) fclose(tracenetlog); /* Initialize trace file */ tracelog = fopen(filename, "w"); if (0 == tracelog) { perror("tracing_start"); tracepid = 0; tracecr3 = 0; return -1; } setvbuf(tracelog, filebuf, _IOFBF, FILEBUFSIZE); /* Initialize netlog file */ char netname[128]; snprintf(netname, 128, "%s.netlog", filename); tracenetlog = fopen(netname, "w"); if (0 == tracenetlog) { perror("tracing_start"); tracepid = 0; tracecr3 = 0; return -1; } else { fprintf(tracenetlog, "Flow Off Data\n"); fflush(tracenetlog); } /* Set PID and CR3 of the process to be traced */ tracecr3 = find_cr3(pid); if (0 == tracecr3) { monitor_printf(default_mon, "CR3 for PID %d not found. Tracing all processes!\n",pid); tracepid = -1; } else { tracepid = pid; } monitor_printf(default_mon, "PID: %d CR3: 0x%08x\n", tracepid, tracecr3); /* Initialize disassembler */ xed2_init(); /* Clear trace statistics */ clear_trace_stats(); /* Clear skip taint flags */ init_st(); /* Initialize hooks only for this process */ decaf_plugin->monitored_cr3 = tracecr3; /* Get system start usage */ if (getrusage(RUSAGE_SELF, &startUsage) != 0) monitor_printf (default_mon, "Could not get start usage\n"); // If tracing child, load process tracking hooks if (tracing_child) { trackproc_start(pid); load_hooks_in_plugin(&tracecr3, "group_process.so", hook_dirname); } /* Register block and instruction callbacks */ block_begin_cb_handle = DECAF_register_callback(DECAF_BLOCK_BEGIN_CB, tracing_block_begin, NULL); insn_begin_cb_handle = DECAF_register_callback(DECAF_INSN_BEGIN_CB, tracing_insn_begin, &should_monitor); insn_end_cb_handle = DECAF_register_callback(DECAF_INSN_END_CB, tracing_insn_end, &should_monitor); return 0; }