event_response_t debug_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info) { debugmon* s = (debugmon*)info->trap->data; gchar* escaped_pname = NULL; switch (s->format) { case OUTPUT_CSV: printf("debugmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",%" PRIx64 ",%" PRIi32 ",%s\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid, info->regs->rip, info->debug->type, debug_type[info->debug->type]); break; case OUTPUT_KV: printf("debugmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\"," "RIP=0x%" PRIx64",DebugType=%" PRIi32 ",DebugTypeStr=\"%s\"\n", UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name, info->regs->rip, info->debug->type, debug_type[info->debug->type]); break; case OUTPUT_JSON: escaped_pname = drakvuf_escape_str(info->proc_data.name); printf( "{" "\"Plugin\" : \"poolmon\"," "\"TimeStamp\" :" "\"" FORMAT_TIMEVAL "\"," "\"VCPU\": %" PRIu32 "," "\"CR3\": %" PRIu64 "," "\"ProcessName\": %s," "\"UserName\": \"%s\"," "\"UserId\": %" PRIu64 "," "\"PID\" : %d," "\"PPID\": %d," "\"RIP\" : %" PRIu64"," "\"DebugType\" : %" PRIi32 "," "\"DebugTypeStr\": \"%s\"" "}\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, escaped_pname, USERIDSTR(drakvuf), info->proc_data.userid, info->proc_data.pid, info->proc_data.ppid, info->regs->rip, info->debug->type, debug_type[info->debug->type]); g_free(escaped_pname); break; default: case OUTPUT_DEFAULT: printf("[DEBUGMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64". " "RIP: 0x%" PRIx64". Debug type: %" PRIi32 ",%s\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, USERIDSTR(drakvuf), info->proc_data.userid, info->regs->rip, info->debug->type, debug_type[info->debug->type]); break; } return 0; }
static void print_filedelete_information(filedelete* f, drakvuf_t drakvuf, drakvuf_trap_info_t* info, const char* filename, size_t bytes_read, uint64_t fo_flags) { std::string flags = parse_flags(fo_flags, fo_flags_map, f->format); gchar* escaped_pname = NULL; gchar* escaped_fname = NULL; switch (f->format) { case OUTPUT_CSV: printf("filedelete," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",\"%s\",%" PRIu64 ",0x%" PRIx64 "(%s)\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid, filename, bytes_read, fo_flags, flags.c_str()); break; case OUTPUT_KV: printf("filedelete Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\",Method=%s,FileName=\"%s\",Size=%ld,Flags=0x%" PRIx64 "%s%s\n", UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name, info->trap->name, filename, bytes_read, fo_flags, (flags.empty() ? "" : ","), flags.c_str()); break; case OUTPUT_JSON: escaped_pname = drakvuf_escape_str(info->proc_data.name); escaped_fname = drakvuf_escape_str(filename); printf( "{" "\"Plugin\" : \"filedelete\"," "\"TimeStamp\" :" "\"" FORMAT_TIMEVAL "\"," "\"ProcessName\": %s," "\"UserName\": \"%s\"," "\"UserId\": %" PRIu64 "," "\"PID\" : %d," "\"PPID\": %d," "\"Method\" : \"%s\"," "\"FileName\" : %s," "\"Size\" : %ld," "\"Flags\" : %" PRIu64 "," "\"FlagsExpanded\" : \"%s\"" "}\n", UNPACK_TIMEVAL(info->timestamp), escaped_pname, USERIDSTR(drakvuf), info->proc_data.userid, info->proc_data.pid, info->proc_data.ppid, info->trap->name, escaped_fname, bytes_read, fo_flags, flags.c_str()); g_free(escaped_fname); g_free(escaped_pname); break; default: case OUTPUT_DEFAULT: printf("[FILEDELETE] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64" \"%s\" SIZE:%" PRIu64 " FO_FLAGS:0x%" PRIx64 "(%s)\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, USERIDSTR(drakvuf), info->proc_data.userid, filename, bytes_read, fo_flags, flags.c_str()); break; } }
event_response_t cpuid_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info) { cpuidmon* s = (cpuidmon*)info->trap->data; switch (s->format) { case OUTPUT_CSV: printf("cpuidmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 "\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid); break; case OUTPUT_KV: printf("cpuidmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\"," "Leaf=0x%" PRIx32 ",Subleaf=0x%" PRIx32"," "RAX=0x%" PRIx64 ",RBX=0x%" PRIx64 ",RCX=0x%" PRIx64 ",RDX=0x%" PRIx64 "\n", UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name, info->cpuid->leaf, info->cpuid->subleaf, info->regs->rax, info->regs->rbx, info->regs->rcx, info->regs->rdx); break; default: case OUTPUT_DEFAULT: printf("[CPUIDMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64". " "Leaf: 0x%" PRIx32 ". Subleaf: 0x%" PRIx32". " "RAX: 0x%" PRIx64 " RBX: 0x%" PRIx64 " RCX: 0x%" PRIx64 " RDX: 0x%" PRIx64 "\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, USERIDSTR(drakvuf), info->proc_data.userid, info->cpuid->leaf, info->cpuid->subleaf, info->regs->rax, info->regs->rbx, info->regs->rcx, info->regs->rdx ); break; }; if ( s->stealth ) { if ( info->cpuid->leaf == 1 ) { info->regs->rcx &= ~0x80000000; } if ( info->cpuid->leaf >= 0x40000000 && info->cpuid->leaf <= 0x40000004 ) { info->regs->rax = 0; info->regs->rbx = 0; info->regs->rcx = 0; info->regs->rdx = 0; } } return 0; }
static event_response_t cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info) { poolmon* p = (poolmon*)info->trap->data; page_mode_t pm = drakvuf_get_page_mode(drakvuf); reg_t pool_type, size; char tag[5] = { [0 ... 4] = '\0' }; struct pooltag* s = NULL; const char* pool_type_str; access_context_t ctx; ctx.translate_mechanism = VMI_TM_PROCESS_DTB; ctx.dtb = info->regs->cr3; if (pm == VMI_PM_IA32E) { pool_type = info->regs->rcx; size = info->regs->rdx; *(reg_t*)tag = info->regs->r8; } else { vmi_lock_guard vmi_lg(drakvuf); vmi_instance_t& vmi = vmi_lg.vmi; ctx.addr = info->regs->rsp+12; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)tag) ) return 0; ctx.addr = info->regs->rsp+8; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)&size) ) return 0; ctx.addr = info->regs->rsp+4; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)&pool_type) ) return 0; } s = (struct pooltag*)g_tree_lookup(p->pooltag_tree, tag); pool_type_str = pool_type<MaxPoolType ? pool_types[pool_type] : "unknown_pool_type"; switch (p->format) { case OUTPUT_CSV: printf("poolmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",%s,%s,%" PRIu64 "", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid, tag, pool_type_str, size); if (s) printf(",%s,%s", s->source, s->description); break; case OUTPUT_KV: printf("poolmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\"," "Tag=%s,Type=%s,Size=%" PRIu64, UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name, tag, pool_type_str, size); if (s) printf(",Source=%s,Description=%s", s->source, s->description); break; default: case OUTPUT_DEFAULT: printf("[POOLMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64 " %s (type: %s, size: %" PRIu64 ")", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, USERIDSTR(drakvuf), info->proc_data.userid, tag, pool_type_str, size); if (s) printf(": %s,%s", s->source, s->description); break; } printf("\n"); return 0; }
static event_response_t hook_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info) { bsodmon* f = static_cast<bsodmon*>(info->trap->data); vmi_instance_t vmi = drakvuf_lock_and_get_vmi(drakvuf); access_context_t ctx; ctx.translate_mechanism = VMI_TM_PROCESS_DTB; ctx.dtb = info->regs->cr3; uint64_t code = 0; uint64_t params[4] = { 0 }; const char* bugcheck_name = "UNKNOWN_CODE" ; gchar* escaped_pname = NULL; bool is32bit = drakvuf_get_page_mode(drakvuf) != VMI_PM_IA32E; if (is32bit) { ctx.addr = info->regs->rsp + 4; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)&code) ) goto done; ctx.addr = info->regs->rsp + 8; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[0]) ) goto done; ctx.addr = info->regs->rsp + 0xc; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[1]) ) goto done; ctx.addr = info->regs->rsp + 0x10; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[2]) ) goto done; ctx.addr = info->regs->rsp + 0x14; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[3]) ) goto done; } else { code = info->regs->rcx; params[0] = info->regs->rdx; params[1] = info->regs->r8; params[2] = info->regs->r9; ctx.addr = info->regs->rsp + 0x20; if ( VMI_FAILURE == vmi_read_32(vmi, &ctx, (uint32_t*)¶ms[3]) ) goto done; } if ( f->bugcheck_map.find( code ) != f->bugcheck_map.end() ) bugcheck_name = f->bugcheck_map[ code ]; switch (f->format) { case OUTPUT_CSV: printf("bsodmon," FORMAT_TIMEVAL ",%" PRIu32 ",0x%" PRIx64 ",\"%s\",%" PRIi64 ",%" PRIx64 ",\"%s\",%" PRIx64 ",%" PRIx64 ",%" PRIx64 ",%" PRIx64 "\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, info->proc_data.userid, code, bugcheck_name, params[0], params[1], params[2], params[3]); break; case OUTPUT_KV: printf("bsodmon Time=" FORMAT_TIMEVAL ",PID=%d,PPID=%d,ProcessName=\"%s\",BugCheckCode=%" PRIx64 ",BugCheckName=\"%s\",BugCheckParameter1=%" PRIx64 ",BugCheckParameter2=%" PRIx64 ",BugCheckParameter2=%" PRIx64 ",BugCheckParameter4=%" PRIx64 "\n", UNPACK_TIMEVAL(info->timestamp), info->proc_data.pid, info->proc_data.ppid, info->proc_data.name, code, bugcheck_name, params[0], params[1], params[2], params[3]); break; case OUTPUT_JSON: escaped_pname = drakvuf_escape_str(info->proc_data.name); printf( "{" "\"Plugin\" : \"bsodmon\"," "\"TimeStamp\" :" "\"" FORMAT_TIMEVAL "\"," "\"VCPU\": %" PRIu32 "," "\"CR3\": %" PRIu64 "," "\"ProcessName\": %s," "\"UserId\": %" PRIu64 "," "\"PID\" : %d," "\"PPID\": %d," "\"BugCheckCode\": %" PRIu64 "," "\"BugCheckName\": \"%s\"," "\"BugCheckParameter1\": %" PRIu64 "," "\"BugCheckParameter2\": %" PRIu64 "," "\"BugCheckParameter3\": %" PRIu64 "," "\"BugCheckParameter4\": %" PRIu64 "}\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, escaped_pname, info->proc_data.userid, info->proc_data.pid, info->proc_data.ppid, code, bugcheck_name, params[0], params[1], params[2], params[3]); g_free(escaped_pname); break; default: case OUTPUT_DEFAULT: printf("[BSODMON] TIME:" FORMAT_TIMEVAL " VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",\"%s\" %s:%" PRIi64 " BugCheckCode:%" PRIx64 " BugCheckName:%s BugCheckParameter1:%" PRIx64 " BugCheckParameter2:%" PRIx64 " BugCheckParameter3:%" PRIx64 " BugCheckParameter4:%" PRIx64 "\n", UNPACK_TIMEVAL(info->timestamp), info->vcpu, info->regs->cr3, info->proc_data.name, USERIDSTR(drakvuf), info->proc_data.userid, code, bugcheck_name, params[0], params[1], params[2], params[3]); break; } done: drakvuf_release_vmi(drakvuf); if ( f->abort_on_bsod ) drakvuf_interrupt( drakvuf, SIGDRAKVUFERROR); return 0; }