static int hookapitests_init(void) { DECAF_output_init(NULL); DECAF_printf("Hello World\n"); //register for process create and process remove events processbegin_handle = VMI_register_callback(VMI_CREATEPROC_CB, &createproc_callback, NULL); removeproc_handle = VMI_register_callback(VMI_REMOVEPROC_CB, &removeproc_callback, NULL); if ((processbegin_handle == DECAF_NULL_HANDLE) || (removeproc_handle == DECAF_NULL_HANDLE)) { DECAF_printf( "Could not register for the create or remove proc events\n"); } return (0); }
plugin_interface_t * init_plugin() { if (0x80000000 == VMI_guest_kernel_base) comparestring = strcasecmp; else comparestring = strcmp; tracing_interface.plugin_cleanup = tracing_cleanup; tracing_interface.mon_cmds = tracing_term_cmds; tracing_interface.info_cmds = tracing_info_cmds; //for now, receive block begin callback globally DECAF_stop_vm(); // register for insn begin/end insn_begin_cb_handle = DECAF_register_callback(DECAF_INSN_BEGIN_CB, tracing_insn_begin, &should_monitor); insn_end_cb_handle = DECAF_register_callback(DECAF_INSN_END_CB, tracing_insn_end, &should_monitor); #ifdef CONFIG_TCG_TAINT // //register taint nic callback nic_rec_cb_handle = DECAF_register_callback(DECAF_NIC_REC_CB, tracing_nic_recv, NULL); nic_send_cb_handle = DECAF_register_callback(DECAF_NIC_SEND_CB, tracing_nic_send, NULL); printf("register nic callback \n"); //check EIP tainted check_eip_handle = DECAF_register_callback(DECAF_EIP_CHECK_CB, check_eip, NULL); printf("register eip check callback\n"); #endif /*CONFIG_TCG_TAINT*/ DECAF_start_vm(); removeproc_handle = VMI_register_callback(VMI_REMOVEPROC_CB, my_removeproc_notify, NULL); loadmainmodule_handle = VMI_register_callback(VMI_CREATEPROC_CB, my_loadmainmodule_notify, NULL); loadmodule_handle = VMI_register_callback(VMI_LOADMODULE_CB, my_loadmodule_notify, NULL); tracing_init(); return &tracing_interface; }
static int instruction_tracer_init(void) { DECAF_printf("initializing instruction tracer...\n"); processbegin_handle = VMI_register_callback(VMI_CREATEPROC_CB, &instruction_tracer_load_main_module_callback, NULL); if (processbegin_handle == DECAF_NULL_HANDLE) { DECAF_printf("Could not register initial callback\n"); } return 0; }
static void instruction_tracer_load_main_module_callback(VMI_Callback_Params* params) { if (target_cr3 != 0) { return; } if (params->cp.name == NULL) { return; } if (strncmp(params->cp.name, target_name, target_name_len) == 0) { DECAF_printf("Process %s(cr3: %d, pid: %d) you specified starts\n", params->cp.name, params->cp.cr3, params->cp.pid); target_cr3 = params->cp.cr3; instruction_tracer_cpu_exec_handle = DECAF_register_callback(DECAF_CPU_EXEC_CB, &instruction_tracer_cpu_exec_callback, NULL); processfinish_handle = VMI_register_callback(VMI_REMOVEPROC_CB, &instruction_tracer_process_finished_callback, NULL); if ((disas_logfile = fopen(LOGFILE_PATH, "w+")) == NULL) { DECAF_printf("log file open error!\n"); } } }