void bsodmon::register_trap(drakvuf_t drakvuf, const char* syscall_name,
drakvuf_trap_t* trap,
event_response_t(*hook_cb)( drakvuf_t drakvuf, drakvuf_trap_info_t* info ))
{
trap->name = syscall_name;
trap->cb = hook_cb;
if ( !drakvuf_get_function_rva( drakvuf, syscall_name, &trap->breakpoint.rva) ) throw -1;
if ( ! drakvuf_add_trap( drakvuf, trap ) ) throw -1;
}
bsodmon::bsodmon(drakvuf_t drakvuf, bool _abort_on_bsod, output_format_t output)
: format{output}
, abort_on_bsod{_abort_on_bsod}
{
init_bugcheck_map( this, drakvuf );
trap.name = "KeBugCheck2";
trap.cb = hook_cb;
if ( !drakvuf_get_function_rva( drakvuf, "KeBugCheck2", &trap.breakpoint.rva) ) throw -1;
if ( ! drakvuf_add_trap( drakvuf, &trap ) ) throw -1;
}
static addr_t get_function_va(drakvuf_t drakvuf, const char* lib, const char* func_name)
{
addr_t rva;
if ( !drakvuf_get_function_rva( drakvuf, func_name, &rva) )
{
PRINT_DEBUG("[FILEDELETE2] [Init] Failed to get RVA of %s\n", func_name);
throw -1;
}
addr_t va = drakvuf_exportksym_to_va(drakvuf, 4, nullptr, lib, rva);
if (!va)
{
PRINT_DEBUG("[FILEDELETE2] [Init] Failed to get VA of %s\n", func_name);
throw -1;
}
return va;
}
poolmon::poolmon(drakvuf_t drakvuf, const void* config, output_format_t output)
{
this->pooltag_tree = pooltag_build_tree();
this->trap.breakpoint.lookup_type = LOOKUP_PID;
this->trap.breakpoint.pid = 4;
this->trap.breakpoint.addr_type = ADDR_RVA;
if ( !drakvuf_get_function_rva(drakvuf,"ExAllocatePoolWithTag", &this->trap.breakpoint.rva) )
throw -1;
this->trap.breakpoint.module = "ntoskrnl.exe";
this->trap.name = "ExAllocatePoolWithTag";
this->trap.type = BREAKPOINT;
this->trap.cb = cb;
this->trap.data = (void*)this;
this->format = output;
if ( !drakvuf_add_trap(drakvuf, &this->trap) )
throw -1;
}
