event_response_t debug_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info)
{
debugmon* s = (debugmon*)info->trap->data;
gchar* escaped_pname = NULL;
switch (s->format)
{
case OUTPUT_CSV:
printf("debugmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",%" PRIx64 ",%" PRIi32 ",%s\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid,
info->regs->rip, info->debug->type, debug_type[info->debug->type]);
break;
case OUTPUT_KV:
printf("debugmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\","
"RIP=0x%" PRIx64",DebugType=%" PRIi32 ",DebugTypeStr=\"%s\"\n",
UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name,
info->regs->rip, info->debug->type, debug_type[info->debug->type]);
break;
case OUTPUT_JSON:
escaped_pname = drakvuf_escape_str(info->proc_data.name);
printf( "{"
"\"Plugin\" : \"poolmon\","
"\"TimeStamp\" :" "\"" FORMAT_TIMEVAL "\","
"\"VCPU\": %" PRIu32 ","
"\"CR3\": %" PRIu64 ","
"\"ProcessName\": %s,"
"\"UserName\": \"%s\","
"\"UserId\": %" PRIu64 ","
"\"PID\" : %d,"
"\"PPID\": %d,"
"\"RIP\" : %" PRIu64","
"\"DebugType\" : %" PRIi32 ","
"\"DebugTypeStr\": \"%s\""
"}\n",
UNPACK_TIMEVAL(info->timestamp),
info->vcpu, info->regs->cr3, escaped_pname,
USERIDSTR(drakvuf), info->proc_data.userid,
info->proc_data.pid, info->proc_data.ppid,
info->regs->rip, info->debug->type, debug_type[info->debug->type]);
g_free(escaped_pname);
break;
default:
case OUTPUT_DEFAULT:
printf("[DEBUGMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64". "
"RIP: 0x%" PRIx64". Debug type: %" PRIi32 ",%s\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name,
USERIDSTR(drakvuf), info->proc_data.userid,
info->regs->rip, info->debug->type, debug_type[info->debug->type]);
break;
}
return 0;
}
static void print_filedelete_information(filedelete* f, drakvuf_t drakvuf, drakvuf_trap_info_t* info, const char* filename, size_t bytes_read, uint64_t fo_flags)
{
std::string flags = parse_flags(fo_flags, fo_flags_map, f->format);
gchar* escaped_pname = NULL;
gchar* escaped_fname = NULL;
switch (f->format)
{
case OUTPUT_CSV:
printf("filedelete," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",\"%s\",%" PRIu64 ",0x%" PRIx64 "(%s)\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name,
info->proc_data.userid, filename, bytes_read, fo_flags, flags.c_str());
break;
case OUTPUT_KV:
printf("filedelete Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\",Method=%s,FileName=\"%s\",Size=%ld,Flags=0x%" PRIx64 "%s%s\n",
UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name,
info->trap->name, filename, bytes_read, fo_flags, (flags.empty() ? "" : ","), flags.c_str());
break;
case OUTPUT_JSON:
escaped_pname = drakvuf_escape_str(info->proc_data.name);
escaped_fname = drakvuf_escape_str(filename);
printf( "{"
"\"Plugin\" : \"filedelete\","
"\"TimeStamp\" :" "\"" FORMAT_TIMEVAL "\","
"\"ProcessName\": %s,"
"\"UserName\": \"%s\","
"\"UserId\": %" PRIu64 ","
"\"PID\" : %d,"
"\"PPID\": %d,"
"\"Method\" : \"%s\","
"\"FileName\" : %s,"
"\"Size\" : %ld,"
"\"Flags\" : %" PRIu64 ","
"\"FlagsExpanded\" : \"%s\""
"}\n",
UNPACK_TIMEVAL(info->timestamp),
escaped_pname,
USERIDSTR(drakvuf), info->proc_data.userid,
info->proc_data.pid, info->proc_data.ppid,
info->trap->name, escaped_fname,
bytes_read, fo_flags, flags.c_str());
g_free(escaped_fname);
g_free(escaped_pname);
break;
default:
case OUTPUT_DEFAULT:
printf("[FILEDELETE] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64" \"%s\" SIZE:%" PRIu64 " FO_FLAGS:0x%" PRIx64 "(%s)\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name,
USERIDSTR(drakvuf), info->proc_data.userid, filename, bytes_read, fo_flags, flags.c_str());
break;
}
}
event_response_t cpuid_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info)
{
cpuidmon* s = (cpuidmon*)info->trap->data;
switch (s->format)
{
case OUTPUT_CSV:
printf("cpuidmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 "\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid);
break;
case OUTPUT_KV:
printf("cpuidmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\","
"Leaf=0x%" PRIx32 ",Subleaf=0x%" PRIx32","
"RAX=0x%" PRIx64 ",RBX=0x%" PRIx64 ",RCX=0x%" PRIx64 ",RDX=0x%" PRIx64 "\n",
UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name,
info->cpuid->leaf, info->cpuid->subleaf,
info->regs->rax, info->regs->rbx, info->regs->rcx, info->regs->rdx);
break;
default:
case OUTPUT_DEFAULT:
printf("[CPUIDMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64". "
"Leaf: 0x%" PRIx32 ". Subleaf: 0x%" PRIx32". "
"RAX: 0x%" PRIx64 " RBX: 0x%" PRIx64 " RCX: 0x%" PRIx64 " RDX: 0x%" PRIx64 "\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name,
USERIDSTR(drakvuf), info->proc_data.userid,
info->cpuid->leaf, info->cpuid->subleaf,
info->regs->rax, info->regs->rbx, info->regs->rcx, info->regs->rdx
);
break;
};
if ( s->stealth )
{
if ( info->cpuid->leaf == 1 )
{
info->regs->rcx &= ~0x80000000;
}
if ( info->cpuid->leaf >= 0x40000000 && info->cpuid->leaf <= 0x40000004 )
{
info->regs->rax = 0;
info->regs->rbx = 0;
info->regs->rcx = 0;
info->regs->rdx = 0;
}
}
return 0;
}
static event_response_t cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info)
{
poolmon* p = (poolmon*)info->trap->data;
page_mode_t pm = drakvuf_get_page_mode(drakvuf);
reg_t pool_type, size;
char tag[5] = { [0 ... 4] = '\0' };
struct pooltag* s = NULL;
const char* pool_type_str;
access_context_t ctx;
ctx.translate_mechanism = VMI_TM_PROCESS_DTB;
ctx.dtb = info->regs->cr3;
if (pm == VMI_PM_IA32E)
{
pool_type = info->regs->rcx;
size = info->regs->rdx;
*(reg_t*)tag = info->regs->r8;
}
else
{
vmi_lock_guard vmi_lg(drakvuf);
vmi_instance_t& vmi = vmi_lg.vmi;
ctx.addr = info->regs->rsp+12;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)tag) )
return 0;
ctx.addr = info->regs->rsp+8;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)&size) )
return 0;
ctx.addr = info->regs->rsp+4;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)&pool_type) )
return 0;
}
s = (struct pooltag*)g_tree_lookup(p->pooltag_tree, tag);
pool_type_str = pool_type<MaxPoolType ? pool_types[pool_type] : "unknown_pool_type";
switch (p->format)
{
case OUTPUT_CSV:
printf("poolmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",%s,%s,%" PRIu64 "",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid, tag,
pool_type_str, size);
if (s)
printf(",%s,%s", s->source, s->description);
break;
case OUTPUT_KV:
printf("poolmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\","
"Tag=%s,Type=%s,Size=%" PRIu64,
UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name,
tag, pool_type_str, size);
if (s)
printf(",Source=%s,Description=%s", s->source, s->description);
break;
default:
case OUTPUT_DEFAULT:
printf("[POOLMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64 " %s (type: %s, size: %" PRIu64 ")",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name,
USERIDSTR(drakvuf), info->proc_data.userid, tag,
pool_type_str, size);
if (s)
printf(": %s,%s", s->source, s->description);
break;
}
printf("\n");
return 0;
}
static event_response_t hook_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info)
{
bsodmon* f = static_cast<bsodmon*>(info->trap->data);
vmi_instance_t vmi = drakvuf_lock_and_get_vmi(drakvuf);
access_context_t ctx;
ctx.translate_mechanism = VMI_TM_PROCESS_DTB;
ctx.dtb = info->regs->cr3;
uint64_t code = 0;
uint64_t params[4] = { 0 };
const char* bugcheck_name = "UNKNOWN_CODE" ;
gchar* escaped_pname = NULL;
bool is32bit = drakvuf_get_page_mode(drakvuf) != VMI_PM_IA32E;
if (is32bit)
{
ctx.addr = info->regs->rsp + 4;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)&code) )
goto done;
ctx.addr = info->regs->rsp + 8;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[0]) )
goto done;
ctx.addr = info->regs->rsp + 0xc;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[1]) )
goto done;
ctx.addr = info->regs->rsp + 0x10;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[2]) )
goto done;
ctx.addr = info->regs->rsp + 0x14;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[3]) )
goto done;
}
else
{
code = info->regs->rcx;
params[0] = info->regs->rdx;
params[1] = info->regs->r8;
params[2] = info->regs->r9;
ctx.addr = info->regs->rsp + 0x20;
if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[3]) )
goto done;
}
if ( f->bugcheck_map.find( code ) != f->bugcheck_map.end() )
bugcheck_name = f->bugcheck_map[ code ];
switch (f->format)
{
case OUTPUT_CSV:
printf("bsodmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",%" PRIx64
",\"%s\",%" PRIx64 ",%" PRIx64 ",%" PRIx64 ",%" PRIx64 "\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name,
info->proc_data.userid, code, bugcheck_name, params[0], params[1], params[2], params[3]);
break;
case OUTPUT_KV:
printf("bsodmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\",BugCheckCode=%" PRIx64
",BugCheckName=\"%s\",BugCheckParameter1=%" PRIx64 ",BugCheckParameter2=%" PRIx64 ",BugCheckParameter2=%" PRIx64
",BugCheckParameter4=%" PRIx64 "\n",
UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid,
info->proc_data.name, code, bugcheck_name, params[0], params[1], params[2], params[3]);
break;
case OUTPUT_JSON:
escaped_pname = drakvuf_escape_str(info->proc_data.name);
printf( "{"
"\"Plugin\" : \"bsodmon\","
"\"TimeStamp\" :" "\"" FORMAT_TIMEVAL "\","
"\"VCPU\": %" PRIu32 ","
"\"CR3\": %" PRIu64 ","
"\"ProcessName\": %s,"
"\"UserId\": %" PRIu64 ","
"\"PID\" : %d,"
"\"PPID\": %d,"
"\"BugCheckCode\": %" PRIu64 ","
"\"BugCheckName\": \"%s\","
"\"BugCheckParameter1\": %" PRIu64 ","
"\"BugCheckParameter2\": %" PRIu64 ","
"\"BugCheckParameter3\": %" PRIu64 ","
"\"BugCheckParameter4\": %" PRIu64
"}\n",
UNPACK_TIMEVAL(info->timestamp),
info->vcpu, info->regs->cr3, escaped_pname,
info->proc_data.userid,
info->proc_data.pid, info->proc_data.ppid,
code, bugcheck_name, params[0], params[1], params[2], params[3]);
g_free(escaped_pname);
break;
default:
case OUTPUT_DEFAULT:
printf("[BSODMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64
" BugCheckCode:%" PRIx64 " BugCheckName:%s BugCheckParameter1:%" PRIx64 " BugCheckParameter2:%" PRIx64
" BugCheckParameter3:%" PRIx64 " BugCheckParameter4:%" PRIx64 "\n",
UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name,
USERIDSTR(drakvuf), info->proc_data.userid, code, bugcheck_name, params[0], params[1], params[2], params[3]);
break;
}
done:
drakvuf_release_vmi(drakvuf);
if ( f->abort_on_bsod )
drakvuf_interrupt( drakvuf, SIGDRAKVUFERROR);
return 0;
}
