void bsodmon::register_trap(drakvuf_t drakvuf, const char* syscall_name, drakvuf_trap_t* trap, event_response_t(*hook_cb)( drakvuf_t drakvuf, drakvuf_trap_info_t* info )) { trap->name = syscall_name; trap->cb = hook_cb; if ( !drakvuf_get_function_rva( drakvuf, syscall_name, &trap->breakpoint.rva) ) throw -1; if ( ! drakvuf_add_trap( drakvuf, trap ) ) throw -1; }
bsodmon::bsodmon(drakvuf_t drakvuf, bool _abort_on_bsod, output_format_t output) : format{output} , abort_on_bsod{_abort_on_bsod} { init_bugcheck_map( this, drakvuf ); trap.name = "KeBugCheck2"; trap.cb = hook_cb; if ( !drakvuf_get_function_rva( drakvuf, "KeBugCheck2", &trap.breakpoint.rva) ) throw -1; if ( ! drakvuf_add_trap( drakvuf, &trap ) ) throw -1; }
debugmon::debugmon(drakvuf_t _drakvuf, output_format_t _output) : format{_output} , drakvuf{_drakvuf} { this->debug.cb = debug_cb; this->debug.data = (void*)this; this->debug.type = DEBUG; if ( !drakvuf_add_trap(drakvuf, &this->debug) ) { fprintf(stderr, "Failed to register Debugmon plugin\n"); throw -1; } }
cpuidmon::cpuidmon(drakvuf_t drakvuf, const void* config, output_format_t output) { this->format = output; this->stealth = *(bool*)config; this->drakvuf = drakvuf; this->cpuid.cb = cpuid_cb; this->cpuid.data = (void*)this; this->cpuid.type = CPUID; if ( !drakvuf_add_trap(drakvuf, &this->cpuid) ) { fprintf(stderr, "Failed to register CPUIDMON plugin\n"); throw -1; } }
poolmon::poolmon(drakvuf_t drakvuf, const void* config, output_format_t output) { this->pooltag_tree = pooltag_build_tree(); this->trap.breakpoint.lookup_type = LOOKUP_PID; this->trap.breakpoint.pid = 4; this->trap.breakpoint.addr_type = ADDR_RVA; if ( !drakvuf_get_function_rva(drakvuf,"ExAllocatePoolWithTag", &this->trap.breakpoint.rva) ) throw -1; this->trap.breakpoint.module = "ntoskrnl.exe"; this->trap.name = "ExAllocatePoolWithTag"; this->trap.type = BREAKPOINT; this->trap.cb = cb; this->trap.data = (void*)this; this->format = output; if ( !drakvuf_add_trap(drakvuf, &this->trap) ) throw -1; }
syscalls::syscalls(drakvuf_t drakvuf, const void *config, output_format_t output) { const char *rekall_profile = (const char *)config; symbols_t *symbols = drakvuf_get_symbols_from_rekall(rekall_profile); if (!symbols) { fprintf(stderr, "Failed to parse Rekall profile at %s\n", rekall_profile); return; } this->traps = create_trap_config(drakvuf, this, symbols); this->format = output; drakvuf_free_symbols(symbols); GSList *loop = this->traps; while(loop) { drakvuf_trap_t *trap = (drakvuf_trap_t *)loop->data; if ( !drakvuf_add_trap(drakvuf, trap) ) throw -1; loop = loop->next; } }