bsodmon::bsodmon(drakvuf_t drakvuf, const void* config, output_format_t output) : format(output) { this->abort_on_bsod = *(bool*)config; init_bugcheck_map( this, drakvuf ); register_trap(drakvuf, "KeBugCheck2", &trap, hook_cb); }
filedelete::filedelete(drakvuf_t drakvuf, const filedelete_config* c, output_format_t output) : sequence_number() { this->pm = drakvuf_get_page_mode(drakvuf); vmi_instance_t vmi = drakvuf_lock_and_get_vmi(drakvuf); this->domid = vmi_get_vmid(vmi); drakvuf_release_vmi(drakvuf); this->dump_folder = c->dump_folder; this->format = output; this->use_injector = c->filedelete_use_injector; if (!this->use_injector) { assert(sizeof(traps)/sizeof(traps[0]) > 2); register_trap(drakvuf, "NtSetInformationFile", &traps[0], setinformation_cb); register_trap(drakvuf, "NtWriteFile", &traps[1], writefile_cb); register_trap(drakvuf, "NtClose", &traps[2], close_cb); /* TODO register_trap(drakvuf, "NtDeleteFile", &traps[3], deletefile_cb); register_trap(drakvuf, "ZwDeleteFile", &traps[4], deletefile_cb); */ } else { this->queryobject_va = get_function_va(drakvuf, "ntoskrnl.exe", "ZwQueryVolumeInformationFile"); this->readfile_va = get_function_va(drakvuf, "ntoskrnl.exe", "ZwReadFile"); this->waitobject_va = get_function_va(drakvuf, "ntoskrnl.exe", "ZwWaitForSingleObject"); this->exallocatepool_va = get_function_va(drakvuf, "ntoskrnl.exe", "ExAllocatePoolWithTag"); this->exfreepool_va = get_function_va(drakvuf, "ntoskrnl.exe", "ExFreePoolWithTag"); assert(sizeof(traps)/sizeof(traps[0]) > 3); register_trap(drakvuf, "NtSetInformationFile", &traps[0], setinformation_cb); register_trap(drakvuf, "NtWriteFile", &traps[1], writefile_cb); register_trap(drakvuf, "NtClose", &traps[2], close_cb); register_trap(drakvuf, "ZwCreateSection", &traps[3], createsection_cb); } this->offsets = (size_t*)malloc(sizeof(size_t)*__OFFSET_MAX); if ( !drakvuf_get_struct_members_array_rva(drakvuf, offset_names, __OFFSET_MAX, this->offsets) ) throw -1; if ( !drakvuf_get_struct_size(drakvuf, "_CONTROL_AREA", &this->control_area_size) ) throw -1; if ( VMI_PM_LEGACY == this->pm ) this->mmpte_size = 4; else this->mmpte_size = 8; }