void set_trace_kernel(Monitor *mon, const QDict *qdict) { const char *filename = qdict_get_str(qdict, "filepath"); should_trace_all_kernel = 1; do_tracing_internal(-1, filename); }
void do_tracing(Monitor *mon, const QDict *qdict) { uint32_t pid = qdict_get_int(qdict, "pid"); const char *filename = qdict_get_str(qdict, "filepath"); do_tracing_internal(pid, filename); }
static void my_loadmainmodule_notify(VMI_Callback_Params * params) { char *name = params->cp.name; if (procname_is_set()) { if (procname_match(name)) { do_tracing_internal(params->cp.pid, tracefile); trackproc_start(params->cp.pid); DECAF_printf( "Tracing %s\n", procname_get()); procname_clear(); } } }
void do_tracing(Monitor *mon, const QDict *qdict) { uint32_t pid = qdict_get_int(qdict, "pid"); const char *filename = qdict_get_str(qdict, "filepath"); char proc_name[512]; uint32_t cr3; if( VMI_find_process_by_pid_c(pid, proc_name, 512, &cr3)!= -1){ procname_set(proc_name); strncpy(tracefile, filename, 256); do_tracing_internal(pid, filename); trackproc_start(pid); } else DECAF_printf("Unable to find process %d \n", pid); }
static void do_tracing_by_name_internal(const char *progname, const char *filename) { /* If process already running, start tracing */ uint32_t pid = VMI_find_pid_by_name_c(progname); uint32_t minus_one = (uint32_t)(-1); if (pid != minus_one) { procname_set(progname); strncpy(tracefile, filename, 256); do_tracing_internal(pid, filename); trackproc_start(pid); return; } /* Otherwise, start monitoring for process start */ procname_set(progname); strncpy(tracefile, filename, 256); DECAF_printf( "Waiting for process %s to start\n", progname); }
static void tracing_proc_start(procmod_Callback_Params * params) { /* If tracingbyname, check if this is the process to trace. If so, start the trace */ if (procname_is_set()) { if (procname_match(params->lmm.name)) { uint32_t pid = params->lmm.pid; // Start tracing do_tracing_internal(pid, tracefile); monitor_printf(default_mon, "Tracing %s\n", procname_get()); // No need to keep monitoring process name procname_clear(); } } /* If tracing child and first child then trace child instead of parent and enable logging */ if (tracing_child && trackproc_found_child()) { uint32_t curr_pid = trackproc_get_current_pid(); if ((trackproc_find_pid(curr_pid) != -1) && (curr_pid != trackproc_get_root_pid())) { uint32_t child_cr3 = find_cr3(curr_pid); if (0 == child_cr3) { monitor_printf(default_mon, "CR3 for child process %d not found\n",curr_pid); } else { decaf_plugin->monitored_cr3 = child_cr3; tracepid = curr_pid; tracecr3 = child_cr3; monitor_printf(default_mon, "Now tracing child process. PID: %d CR3: 0x%08x\n", curr_pid, child_cr3); skip_trace_write = 0; tracing_child = 0; } } } }
static void do_tracing_by_name_internal(const char *progname, const char *filename) { /* If process already running, start tracing */ uint32_t pid = find_pid_by_name(progname); uint32_t minus_one = (uint32_t)(-1); if (pid != minus_one) { do_tracing_internal(pid,filename); } else { /* Otherwise, start monitoring for process start */ procname_set(progname); strncpy(tracefile, filename, 256); monitor_printf (default_mon, "Waiting for process %s to start\n", progname); } /* Print configuration variables */ //print_conf_vars(); }
/* Param format <pid>:<traceFilename>:<pidToSignal>:<processName> */ void tracing_after_loadvm(const char*param) { char buf[256]; strncpy(buf, param, sizeof(buf) - 1); buf[255] = '\0'; int pid_to_signal = 0; char *pid_str = strtok(buf, ":"); if (!pid_str) return; char *trace_filename = strtok(0, ":"); if (!trace_filename) return; char *pid_to_signal_str = strtok(0, ":"); char *process_name = strtok(0, ":"); char *end = pid_str; int pid = (int) strtol (pid_str, &end, 10); if (end == pid_str) { pid = -1; } /* If no PID or Process_name, return */ if ((process_name == NULL) && (pid == -1)) { monitor_printf(default_mon, "PARAM: %s\n", param); monitor_printf(default_mon, "START: %p END: %p\n", pid_str, end); monitor_printf(default_mon, "No PID or Process_name provided\n"); return; } if (pid_to_signal_str) { end = pid_to_signal_str; pid_to_signal = (int) strtol (pid_to_signal_str, &end, 10); if (end == pid_to_signal_str) { pid_to_signal = 0; } } monitor_printf (default_mon, "PID: %d PID2SIGNAL: %d PROCESS_NAME: %s\n", pid, pid_to_signal, process_name); #ifdef TAINT_ENABLED /* Taint the network */ do_taint_nic_internal(1); /* Filter traffic (read from ini configuration file) */ print_nic_filter(); #endif // #ifdef TAINT_ENABLED /* OS dependant initialization */ if (0 == taskaddr) init_kernel_offsets(); if (0xC0000000 == kernel_mem_start) /* linux */ update_proc(0); /* Load hooks */ do_load_hooks_internal("",""); /* Start trace */ if (process_name == NULL) do_tracing_internal(pid, trace_filename); else do_tracing_by_name_internal(process_name,trace_filename); /* Send signal to notify that trace is ready */ //if (pid_to_signal != 0) kill(pid_to_signal,SIGUSR1); int pipe_fd = open("/tmp/tfd.pipe",O_WRONLY); size_t num_written = write(pipe_fd,"OK",2); if (num_written != 2) { monitor_printf (default_mon, "Error writing to /tmp/tfd.pipe\n"); } close(pipe_fd); }