void bsodmon::register_trap(drakvuf_t drakvuf, const char* syscall_name,
drakvuf_trap_t* trap,
event_response_t(*hook_cb)( drakvuf_t drakvuf, drakvuf_trap_info_t* info ))
{
trap->name = syscall_name;
trap->cb = hook_cb;
if ( !drakvuf_get_function_rva( drakvuf, syscall_name, &trap->breakpoint.rva) ) throw -1;
if ( ! drakvuf_add_trap( drakvuf, trap ) ) throw -1;
}
bsodmon::bsodmon(drakvuf_t drakvuf, bool _abort_on_bsod, output_format_t output)
: format{output}
, abort_on_bsod{_abort_on_bsod}
{
init_bugcheck_map( this, drakvuf );
trap.name = "KeBugCheck2";
trap.cb = hook_cb;
if ( !drakvuf_get_function_rva( drakvuf, "KeBugCheck2", &trap.breakpoint.rva) ) throw -1;
if ( ! drakvuf_add_trap( drakvuf, &trap ) ) throw -1;
}
debugmon::debugmon(drakvuf_t _drakvuf, output_format_t _output)
: format{_output}
, drakvuf{_drakvuf}
{
this->debug.cb = debug_cb;
this->debug.data = (void*)this;
this->debug.type = DEBUG;
if ( !drakvuf_add_trap(drakvuf, &this->debug) )
{
fprintf(stderr, "Failed to register Debugmon plugin\n");
throw -1;
}
}
cpuidmon::cpuidmon(drakvuf_t drakvuf, const void* config, output_format_t output)
{
this->format = output;
this->stealth = *(bool*)config;
this->drakvuf = drakvuf;
this->cpuid.cb = cpuid_cb;
this->cpuid.data = (void*)this;
this->cpuid.type = CPUID;
if ( !drakvuf_add_trap(drakvuf, &this->cpuid) )
{
fprintf(stderr, "Failed to register CPUIDMON plugin\n");
throw -1;
}
}
poolmon::poolmon(drakvuf_t drakvuf, const void* config, output_format_t output)
{
this->pooltag_tree = pooltag_build_tree();
this->trap.breakpoint.lookup_type = LOOKUP_PID;
this->trap.breakpoint.pid = 4;
this->trap.breakpoint.addr_type = ADDR_RVA;
if ( !drakvuf_get_function_rva(drakvuf,"ExAllocatePoolWithTag", &this->trap.breakpoint.rva) )
throw -1;
this->trap.breakpoint.module = "ntoskrnl.exe";
this->trap.name = "ExAllocatePoolWithTag";
this->trap.type = BREAKPOINT;
this->trap.cb = cb;
this->trap.data = (void*)this;
this->format = output;
if ( !drakvuf_add_trap(drakvuf, &this->trap) )
throw -1;
}
syscalls::syscalls(drakvuf_t drakvuf, const void *config, output_format_t output) {
const char *rekall_profile = (const char *)config;
symbols_t *symbols = drakvuf_get_symbols_from_rekall(rekall_profile);
if (!symbols)
{
fprintf(stderr, "Failed to parse Rekall profile at %s\n", rekall_profile);
return;
}
this->traps = create_trap_config(drakvuf, this, symbols);
this->format = output;
drakvuf_free_symbols(symbols);
GSList *loop = this->traps;
while(loop) {
drakvuf_trap_t *trap = (drakvuf_trap_t *)loop->data;
if ( !drakvuf_add_trap(drakvuf, trap) )
throw -1;
loop = loop->next;
}
}
