bool drakvuf_init(drakvuf_t *drakvuf, const char *domain, const char *rekall_profile, bool _verbose) {
if ( !domain || !rekall_profile )
return 0;
#ifdef DRAKVUF_DEBUG
verbose = _verbose;
#endif
*drakvuf = g_malloc0(sizeof(struct drakvuf));
(*drakvuf)->rekall_profile = g_strdup(rekall_profile);
g_mutex_init(&(*drakvuf)->vmi_lock);
if ( !xen_init_interface(&(*drakvuf)->xen) )
goto err;
get_dom_info((*drakvuf)->xen, domain, &(*drakvuf)->domID, &(*drakvuf)->dom_name);
domid_t test = ~0;
if ( (*drakvuf)->domID == test )
goto err;
if (!init_vmi(*drakvuf))
goto err;
return 1;
err:
drakvuf_close(*drakvuf);
*drakvuf = NULL;
return 0;
}
int main(int argc, char** argv)
{
DIR* dir;
struct dirent* ent;
unsigned int i;
unsigned int processed = 0;
unsigned int total_processed = 0;
int ret = 0;
struct sigaction act;
shutting_down = 0;
if (argc!=15)
{
printf("Not enough arguments: %i!\n", argc);
printf("%s <loop (0) or poll (1)> <origin domain name> <domain config> <rekall_profile> <injection pid> <watch folder> <serve folder> <output folder> <max clones> <clone_script> <config_script> <drakvuf_script> <cleanup_script> <tcpdump_script>\n", argv[0]);
return 1;
}
/* for a clean exit */
act.sa_handler = close_handler;
act.sa_flags = 0;
sigemptyset(&act.sa_mask);
sigaction(SIGHUP, &act, NULL);
sigaction(SIGTERM, &act, NULL);
sigaction(SIGINT, &act, NULL);
sigaction(SIGALRM, &act, NULL);
xen_init_interface(&xen);
int do_poll = atoi(argv[1]);
domain_name = argv[2];
domain_config = argv[3];
rekall_profile = argv[4];
injection_pid = atoi(argv[5]);
in_folder = argv[6];
run_folder = argv[7];
out_folder = argv[8];
threads = atoi(argv[9]);
clone_script = argv[10];
config_script = argv[11];
drakvuf_script = argv[12];
cleanup_script = argv[13];
tcpdump_script = argv[14];
if (threads > 128)
{
printf("Too many clones requested (max 128 is specified right now)\n");
return 1;
}
for (i=0; i<threads; i++)
g_mutex_init(&locks[i]);
pool = g_thread_pool_new(run_drakvuf, NULL, threads, TRUE, NULL);
int fd = inotify_init();
int wd = inotify_add_watch(fd, in_folder, IN_CLOSE_WRITE);
char buffer[sizeof(struct inotify_event) + NAME_MAX + 1];
struct pollfd pollfd =
{
.fd = fd,
.events = POLLIN
};
int threadid = -1;
do
{
processed = 0;
while (threadid<0 && !shutting_down)
{
sleep(1);
threadid = find_thread();
}
if ((dir = opendir (in_folder)) != NULL)
{
while ((ent = readdir (dir)) != NULL && !shutting_down)
{
if (!strcmp(ent->d_name, ".") || !strcmp(ent->d_name, ".."))
continue;
char* command;
command = g_strdup_printf("mv %s/%s %s/%s", in_folder, ent->d_name, run_folder, ent->d_name);
printf("** MOVING FILE FOR PROCESSING: %s\n", command);
g_spawn_command_line_sync(command, NULL, NULL, NULL, NULL);
g_free(command);
struct start_drakvuf* _start = prepare(NULL, threadid);
start(_start, ent->d_name);
threadid = -1;
processed++;
}
closedir (dir);
}
else
{
printf("Failed to open target folder!\n");
ret = 1;
break;
}
if ( processed )
{
total_processed += processed;
printf("Batch processing started %u samples (total %u)\n", processed, total_processed);
}
if ( !processed && !shutting_down )
{
if ( do_poll )
{
do
{
int rv = poll (&pollfd, 1, 1000);
if ( rv < 0 )
{
printf("Error polling\n");
ret = 1;
break;
}
if ( rv > 0 && pollfd.revents & POLLIN )
{
if ( read( fd, buffer, sizeof(struct inotify_event) + NAME_MAX + 1 ) < 0 )
{
printf("Error reading inotify event\n");
ret = 1;
}
break;
}
}
while (!shutting_down && !ret);
}
else
sleep(1);
}
}
while (!shutting_down && !ret);
inotify_rm_watch( fd, wd );
close(fd);
g_thread_pool_free(pool, FALSE, TRUE);
if ( threadid >= 0 )
g_mutex_unlock(&locks[threadid]);
for (i=0; i<threads; i++)
g_mutex_clear(&locks[i]);
xen_free_interface(xen);
printf("Finished processing %u samples\n", total_processed);
return ret;
}
int main(int argc, char** argv)
{
DIR *dir;
struct dirent *ent;
unsigned int i, processed = 0;
int ret = 0;
if(argc!=14) {
printf("Not enough arguments: %i!\n", argc);
printf("%s <origin domain name> <domain config> <rekall_profile> <injection pid> <watch folder> <serve folder> <output folder> <max clones> <clone_script> <config_script> <drakvuf_script> <cleanup_script> <tcpdump_script>\n", argv[0]);
return 1;
}
xen_init_interface(&xen);
domain_name = argv[1];
domain_config = argv[2];
rekall_profile = argv[3];
injection_pid = atoi(argv[4]);
in_folder = argv[5];
run_folder = argv[6];
out_folder = argv[7];
threads = atoi(argv[8]);
clone_script = argv[9];
config_script = argv[10];
drakvuf_script = argv[11];
cleanup_script = argv[12];
tcpdump_script = argv[13];
if (threads > 128) {
printf("Too many clones requested (max 128 is specified right now)\n");
return 1;
}
g_mutex_init(&prepare_lock);
for(i=0;i<threads;i++)
g_mutex_init(&locks[i]);
pool = g_thread_pool_new(run_drakvuf, NULL, threads, TRUE, NULL);
char buffer[sizeof(struct inotify_event) + NAME_MAX + 1];
int fd = inotify_init();
int wd = inotify_add_watch( fd, in_folder, IN_CLOSE_WRITE );
do {
processed = 0;
if ((dir = opendir (in_folder)) != NULL) {
while ((ent = readdir (dir)) != NULL) {
if (!strcmp(ent->d_name, ".") || !strcmp(ent->d_name, ".."))
continue;
char *command = g_malloc0(snprintf(NULL, 0, "mv %s/%s %s/%s", in_folder, ent->d_name, run_folder, ent->d_name) + 1);
sprintf(command, "mv %s/%s %s/%s", in_folder, ent->d_name, run_folder, ent->d_name);
printf("** MOVING FILE FOR PROCESSING: %s\n", command);
g_spawn_command_line_sync(command, NULL, NULL, NULL, NULL);
g_free(command);
prepare(g_strdup(ent->d_name), NULL);
processed++;
}
closedir (dir);
} else {
printf("Failed to open target folder!\n");
ret = 1;
break;
}
if (!processed) {
printf("Run folder is empty, waiting for file creation\n");
int l = read( fd, buffer, sizeof(struct inotify_event) + NAME_MAX + 1 );
if ( l <= 0 ) {
ret = 1;
break;
}
}
} while(1);
inotify_rm_watch( fd, wd );
close(fd);
g_thread_pool_free(pool, FALSE, TRUE);
g_mutex_clear(&prepare_lock);
for(i=0;i<threads;i++)
g_mutex_clear(&locks[i]);
xen_free_interface(xen);
printf("Finished processing this batch\n");
return ret;
}
