bool drakvuf_init(drakvuf_t *drakvuf, const char *domain, const char *rekall_profile, bool _verbose) {
if ( !domain || !rekall_profile )
return 0;
#ifdef DRAKVUF_DEBUG
verbose = _verbose;
#endif
*drakvuf = g_malloc0(sizeof(struct drakvuf));
(*drakvuf)->rekall_profile = g_strdup(rekall_profile);
g_mutex_init(&(*drakvuf)->vmi_lock);
if ( !xen_init_interface(&(*drakvuf)->xen) )
goto err;
get_dom_info((*drakvuf)->xen, domain, &(*drakvuf)->domID, &(*drakvuf)->dom_name);
domid_t test = ~0;
if ( (*drakvuf)->domID == test )
goto err;
if (!init_vmi(*drakvuf))
goto err;
return 1;
err:
drakvuf_close(*drakvuf);
*drakvuf = NULL;
return 0;
}
int main(int argc, char** argv)
{
if (argc < 5) {
printf("Usage: ./%s <rekall profile> <domain> <pid> <app>\n", argv[0]);
return 1;
}
int rc = 0;
const char *rekall_profile = argv[1];
const char *domain = argv[2];
vmi_pid_t pid = atoi(argv[3]);
char *app = argv[4];
bool verbose = 0;
#ifdef DRAKVUF_DEBUG
verbose = 1;
#endif
/* for a clean exit */
struct sigaction act;
act.sa_handler = close_handler;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, &act, NULL);
sigaction(SIGINT, &act, NULL);
sigaction(SIGALRM, &act, NULL);
drakvuf_init(&drakvuf, domain, rekall_profile, verbose);
drakvuf_pause(drakvuf);
if (pid > 0 && app) {
printf("Injector starting %s through PID %u\n", app, pid);
rc = drakvuf_inject_cmd(drakvuf, pid, app);
if (!rc) {
printf("Process startup failed\n");
} else {
printf("Process startup success\n");
}
}
drakvuf_resume(drakvuf);
drakvuf_close(drakvuf);
return rc;
}
int main(int argc, char** argv)
{
int rc = 0;
vmi_pid_t injection_pid = 0;
uint32_t injection_thread = 0;
char c;
char* rekall_profile = NULL;
char* domain = NULL;
char* inject_file = NULL;
char* inject_cwd = NULL;
bool injection_global_search = false;
char* binary_path = NULL;
char* target_process = NULL;
injection_method_t injection_method = INJECT_METHOD_CREATEPROC;
bool verbose = 0;
bool libvmi_conf = false;
if (argc < 4)
{
print_help();
return 1;
}
while ((c = getopt (argc, argv, "r:d:i:I:e:m:B:P:vlg")) != -1)
switch (c)
{
case 'r':
rekall_profile = optarg;
break;
case 'd':
domain = optarg;
break;
case 'i':
injection_pid = atoi(optarg);
break;
case 'I':
injection_thread = atoi(optarg);
break;
case 'e':
inject_file = optarg;
break;
case 'c':
inject_cwd = optarg;
break;
case 'm':
if (!strncmp(optarg,"shellexec",9))
injection_method = INJECT_METHOD_SHELLEXEC;
else if (!strncmp(optarg,"createproc",10))
injection_method = INJECT_METHOD_CREATEPROC;
else if (!strncmp(optarg,"shellcode",9))
injection_method = INJECT_METHOD_SHELLCODE;
else if (!strncmp(optarg,"doppelganging",13))
injection_method = INJECT_METHOD_DOPP;
else
{
fprintf(stderr, "Unrecognized injection method\n");
return rc;
}
break;
case 'g':
injection_global_search = true;
break;
case 'B':
binary_path = optarg;
break;
case 'P':
target_process = optarg;
break;
#ifdef DRAKVUF_DEBUG
case 'v':
verbose = 1;
break;
#endif
case 'l':
libvmi_conf = true;
break;
default:
fprintf(stderr, "Unrecognized option: %c\n", c);
return rc;
}
if ( !rekall_profile || !domain || !injection_pid || !inject_file )
{
print_help();
return 1;
}
if ( INJECT_METHOD_DOPP == injection_method && (!binary_path || !target_process) )
{
print_help();
return 1;
}
/* for a clean exit */
struct sigaction act;
act.sa_handler = close_handler;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, &act, NULL);
sigaction(SIGINT, &act, NULL);
sigaction(SIGALRM, &act, NULL);
if (!drakvuf_init(&drakvuf, domain, rekall_profile, NULL, verbose, libvmi_conf))
{
fprintf(stderr, "Failed to initialize on domain %s\n", domain);
return 1;
}
printf("Injector starting %s through PID %u TID: %u\n", inject_file, injection_pid, injection_thread);
int injection_result = injector_start_app(
drakvuf,
injection_pid,
injection_thread,
inject_file,
inject_cwd,
injection_method,
OUTPUT_DEFAULT,
binary_path,
target_process,
false,
NULL,
injection_global_search);
if (injection_result)
printf("Process startup success\n");
else
{
printf("Process startup failed\n");
rc = 1;
}
drakvuf_resume(drakvuf);
drakvuf_close(drakvuf, 0);
return rc;
}
int main(int argc, char** argv) {
int c, i;
char *inject_cmd = NULL;
char *domain = NULL;
char *rekall_profile = NULL;
char *dump_folder = NULL;
vmi_pid_t injection_pid = -1;
struct sigaction act;
int timeout = 0;
GThread *timeout_thread = NULL;
output_format_t output = OUTPUT_DEFAULT;
fprintf(stderr, "%s v%s\n", PACKAGE_NAME, PACKAGE_VERSION);
if ( __DRAKVUF_PLUGIN_LIST_MAX == 0 ) {
fprintf(stderr, "No plugins have been enabled, nothing to do!\n");
return 1;
}
if (argc < 4) {
fprintf(stderr, "Required input:\n"
"\t -r <rekall profile> The Rekall profile of the Windows kernel\n"
"\t -d <domain ID or name> The domain's ID or name\n"
"Optional inputs:\n"
"\t -i <injection pid> The PID of the process to hijack for injection\n"
"\t -e <inject_exe> The executable to start with injection\n"
"\t -t <timeout> Timeout (in seconds)\n"
"\t -D <file dump folder> Folder where extracted files should be stored at\n"
"\t -o <format> Output format (default or csv)\n"
"\t -v Turn on verbose (debug) output\n"
);
return 1;
}
while ((c = getopt (argc, argv, "r:d:i:e:t:D:o:v")) != -1)
switch (c)
{
case 'r':
rekall_profile = optarg;
break;
case 'd':
domain = optarg;
break;
case 'i':
injection_pid = atoi(optarg);
break;
case 'e':
inject_cmd = optarg;
break;
case 't':
timeout = atoi(optarg);
break;
case 'D':
dump_folder = optarg;
break;
case 'o':
if(!strncmp(optarg,"csv",3))
output = OUTPUT_CSV;
break;
case 'v':
// verbose = 1;
break;
default:
fprintf(stderr, "Unrecognized option: %c\n", c);
return 1;
}
interrupted = 0;
if (!drakvuf_init(&drakvuf, domain, rekall_profile))
return 1;
if(output != OUTPUT_DEFAULT)
drakvuf_set_output_format(drakvuf, output);
if(timeout > 0) {
timeout_thread = g_thread_new(NULL, timer, &timeout);
}
drakvuf_pause(drakvuf);
if (injection_pid > 0 && inject_cmd) {
int rc = drakvuf_inject_cmd(drakvuf, injection_pid, inject_cmd);
if (!rc) {
fprintf(stderr, "Process startup failed\n");
goto exit;
}
}
/*
* Pass the configuration input to the plugins.
* Default config is only the rekall profile but plugins
* can define additional options which need to be passed
* through their own config structure.
*/
for(i=0;i<__DRAKVUF_PLUGIN_LIST_MAX;i++) {
switch (i) {
case PLUGIN_FILEDELETE:
{
struct filedelete_config c = {
.rekall_profile = rekall_profile,
.dump_folder = dump_folder
};
if ( !drakvuf_plugin_init(drakvuf, i, &c) )
goto exit;
break;
}
default:
if ( !drakvuf_plugin_init(drakvuf, i, rekall_profile) )
goto exit;
break;
};
}
/* for a clean exit */
act.sa_handler = close_handler;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, &act, NULL);
sigaction(SIGINT, &act, NULL);
sigaction(SIGALRM, &act, NULL);
if ( drakvuf_plugins_start(drakvuf) )
drakvuf_loop(drakvuf);
exit:
drakvuf_pause(drakvuf);
drakvuf_plugins_close(drakvuf);
drakvuf_close(drakvuf);
if(timeout_thread)
g_thread_join(timeout_thread);
return 0;
}
