bool drakvuf_init(drakvuf_t *drakvuf, const char *domain, const char *rekall_profile, bool _verbose) { if ( !domain || !rekall_profile ) return 0; #ifdef DRAKVUF_DEBUG verbose = _verbose; #endif *drakvuf = g_malloc0(sizeof(struct drakvuf)); (*drakvuf)->rekall_profile = g_strdup(rekall_profile); g_mutex_init(&(*drakvuf)->vmi_lock); if ( !xen_init_interface(&(*drakvuf)->xen) ) goto err; get_dom_info((*drakvuf)->xen, domain, &(*drakvuf)->domID, &(*drakvuf)->dom_name); domid_t test = ~0; if ( (*drakvuf)->domID == test ) goto err; if (!init_vmi(*drakvuf)) goto err; return 1; err: drakvuf_close(*drakvuf); *drakvuf = NULL; return 0; }
int main(int argc, char** argv) { if (argc < 5) { printf("Usage: ./%s <rekall profile> <domain> <pid> <app>\n", argv[0]); return 1; } int rc = 0; const char *rekall_profile = argv[1]; const char *domain = argv[2]; vmi_pid_t pid = atoi(argv[3]); char *app = argv[4]; bool verbose = 0; #ifdef DRAKVUF_DEBUG verbose = 1; #endif /* for a clean exit */ struct sigaction act; act.sa_handler = close_handler; act.sa_flags = 0; sigemptyset(&act.sa_mask); sigaction(SIGHUP, &act, NULL); sigaction(SIGTERM, &act, NULL); sigaction(SIGINT, &act, NULL); sigaction(SIGALRM, &act, NULL); drakvuf_init(&drakvuf, domain, rekall_profile, verbose); drakvuf_pause(drakvuf); if (pid > 0 && app) { printf("Injector starting %s through PID %u\n", app, pid); rc = drakvuf_inject_cmd(drakvuf, pid, app); if (!rc) { printf("Process startup failed\n"); } else { printf("Process startup success\n"); } } drakvuf_resume(drakvuf); drakvuf_close(drakvuf); return rc; }
int main(int argc, char** argv) { int rc = 0; vmi_pid_t injection_pid = 0; uint32_t injection_thread = 0; char c; char* rekall_profile = NULL; char* domain = NULL; char* inject_file = NULL; char* inject_cwd = NULL; bool injection_global_search = false; char* binary_path = NULL; char* target_process = NULL; injection_method_t injection_method = INJECT_METHOD_CREATEPROC; bool verbose = 0; bool libvmi_conf = false; if (argc < 4) { print_help(); return 1; } while ((c = getopt (argc, argv, "r:d:i:I:e:m:B:P:vlg")) != -1) switch (c) { case 'r': rekall_profile = optarg; break; case 'd': domain = optarg; break; case 'i': injection_pid = atoi(optarg); break; case 'I': injection_thread = atoi(optarg); break; case 'e': inject_file = optarg; break; case 'c': inject_cwd = optarg; break; case 'm': if (!strncmp(optarg,"shellexec",9)) injection_method = INJECT_METHOD_SHELLEXEC; else if (!strncmp(optarg,"createproc",10)) injection_method = INJECT_METHOD_CREATEPROC; else if (!strncmp(optarg,"shellcode",9)) injection_method = INJECT_METHOD_SHELLCODE; else if (!strncmp(optarg,"doppelganging",13)) injection_method = INJECT_METHOD_DOPP; else { fprintf(stderr, "Unrecognized injection method\n"); return rc; } break; case 'g': injection_global_search = true; break; case 'B': binary_path = optarg; break; case 'P': target_process = optarg; break; #ifdef DRAKVUF_DEBUG case 'v': verbose = 1; break; #endif case 'l': libvmi_conf = true; break; default: fprintf(stderr, "Unrecognized option: %c\n", c); return rc; } if ( !rekall_profile || !domain || !injection_pid || !inject_file ) { print_help(); return 1; } if ( INJECT_METHOD_DOPP == injection_method && (!binary_path || !target_process) ) { print_help(); return 1; } /* for a clean exit */ struct sigaction act; act.sa_handler = close_handler; act.sa_flags = 0; sigemptyset(&act.sa_mask); sigaction(SIGHUP, &act, NULL); sigaction(SIGTERM, &act, NULL); sigaction(SIGINT, &act, NULL); sigaction(SIGALRM, &act, NULL); if (!drakvuf_init(&drakvuf, domain, rekall_profile, NULL, verbose, libvmi_conf)) { fprintf(stderr, "Failed to initialize on domain %s\n", domain); return 1; } printf("Injector starting %s through PID %u TID: %u\n", inject_file, injection_pid, injection_thread); int injection_result = injector_start_app( drakvuf, injection_pid, injection_thread, inject_file, inject_cwd, injection_method, OUTPUT_DEFAULT, binary_path, target_process, false, NULL, injection_global_search); if (injection_result) printf("Process startup success\n"); else { printf("Process startup failed\n"); rc = 1; } drakvuf_resume(drakvuf); drakvuf_close(drakvuf, 0); return rc; }
int main(int argc, char** argv) { int c, i; char *inject_cmd = NULL; char *domain = NULL; char *rekall_profile = NULL; char *dump_folder = NULL; vmi_pid_t injection_pid = -1; struct sigaction act; int timeout = 0; GThread *timeout_thread = NULL; output_format_t output = OUTPUT_DEFAULT; fprintf(stderr, "%s v%s\n", PACKAGE_NAME, PACKAGE_VERSION); if ( __DRAKVUF_PLUGIN_LIST_MAX == 0 ) { fprintf(stderr, "No plugins have been enabled, nothing to do!\n"); return 1; } if (argc < 4) { fprintf(stderr, "Required input:\n" "\t -r <rekall profile> The Rekall profile of the Windows kernel\n" "\t -d <domain ID or name> The domain's ID or name\n" "Optional inputs:\n" "\t -i <injection pid> The PID of the process to hijack for injection\n" "\t -e <inject_exe> The executable to start with injection\n" "\t -t <timeout> Timeout (in seconds)\n" "\t -D <file dump folder> Folder where extracted files should be stored at\n" "\t -o <format> Output format (default or csv)\n" "\t -v Turn on verbose (debug) output\n" ); return 1; } while ((c = getopt (argc, argv, "r:d:i:e:t:D:o:v")) != -1) switch (c) { case 'r': rekall_profile = optarg; break; case 'd': domain = optarg; break; case 'i': injection_pid = atoi(optarg); break; case 'e': inject_cmd = optarg; break; case 't': timeout = atoi(optarg); break; case 'D': dump_folder = optarg; break; case 'o': if(!strncmp(optarg,"csv",3)) output = OUTPUT_CSV; break; case 'v': // verbose = 1; break; default: fprintf(stderr, "Unrecognized option: %c\n", c); return 1; } interrupted = 0; if (!drakvuf_init(&drakvuf, domain, rekall_profile)) return 1; if(output != OUTPUT_DEFAULT) drakvuf_set_output_format(drakvuf, output); if(timeout > 0) { timeout_thread = g_thread_new(NULL, timer, &timeout); } drakvuf_pause(drakvuf); if (injection_pid > 0 && inject_cmd) { int rc = drakvuf_inject_cmd(drakvuf, injection_pid, inject_cmd); if (!rc) { fprintf(stderr, "Process startup failed\n"); goto exit; } } /* * Pass the configuration input to the plugins. * Default config is only the rekall profile but plugins * can define additional options which need to be passed * through their own config structure. */ for(i=0;i<__DRAKVUF_PLUGIN_LIST_MAX;i++) { switch (i) { case PLUGIN_FILEDELETE: { struct filedelete_config c = { .rekall_profile = rekall_profile, .dump_folder = dump_folder }; if ( !drakvuf_plugin_init(drakvuf, i, &c) ) goto exit; break; } default: if ( !drakvuf_plugin_init(drakvuf, i, rekall_profile) ) goto exit; break; }; } /* for a clean exit */ act.sa_handler = close_handler; act.sa_flags = 0; sigemptyset(&act.sa_mask); sigaction(SIGHUP, &act, NULL); sigaction(SIGTERM, &act, NULL); sigaction(SIGINT, &act, NULL); sigaction(SIGALRM, &act, NULL); if ( drakvuf_plugins_start(drakvuf) ) drakvuf_loop(drakvuf); exit: drakvuf_pause(drakvuf); drakvuf_plugins_close(drakvuf); drakvuf_close(drakvuf); if(timeout_thread) g_thread_join(timeout_thread); return 0; }