uint32_t trackproc_get_parent_pid(uint32_t uiPID)
{
int iPos = trackproc_find_pid(uiPID);
if (iPos == -1)
return -1;
return (l_arTrackProcInfo[l_arTrackProcInfo[iPos].m_iParent].m_uiPID);
}
int trackproc_add_new_handle(uint32_t uiHandle, uint32_t uiParentPID)
{
/* Check that maximum number of children is not exceeded */
if (l_iNumProc >= MAX_CHILDPROC) {
monitor_printf(default_mon,
"Maximum number of child processes exceeded, ignoring\n");
return -1;
}
/* Check if the handle is already in the array */
if (trackproc_find_handle(uiHandle) >= 0) {
return -2;
}
l_arTrackProcInfo[l_iNumProc].m_uiHandle = uiHandle;
l_arTrackProcInfo[l_iNumProc].m_uiPID = -1;
int iParentIndex = trackproc_find_pid(uiParentPID);
/* Check that parent process is in array */
if (iParentIndex < 0) {
return -3;
}
l_arTrackProcInfo[l_iNumProc].m_iParent = iParentIndex;
/* Increase number of processes being tracked */
l_iNumProc++;
return 0;
}
static void tracing_proc_start(procmod_Callback_Params * params)
{
/* If tracingbyname, check if this is the process to trace.
If so, start the trace */
if (procname_is_set()) {
if (procname_match(params->lmm.name)) {
uint32_t pid = params->lmm.pid;
// Start tracing
do_tracing_internal(pid, tracefile);
monitor_printf(default_mon, "Tracing %s\n", procname_get());
// No need to keep monitoring process name
procname_clear();
}
}
/* If tracing child and first child
then trace child instead of parent and enable logging */
if (tracing_child && trackproc_found_child()) {
uint32_t curr_pid = trackproc_get_current_pid();
if ((trackproc_find_pid(curr_pid) != -1) &&
(curr_pid != trackproc_get_root_pid()))
{
uint32_t child_cr3 = find_cr3(curr_pid);
if (0 == child_cr3) {
monitor_printf(default_mon,
"CR3 for child process %d not found\n",curr_pid);
}
else {
decaf_plugin->monitored_cr3 = child_cr3;
tracepid = curr_pid;
tracecr3 = child_cr3;
monitor_printf(default_mon,
"Now tracing child process. PID: %d CR3: 0x%08x\n",
curr_pid, child_cr3);
skip_trace_write = 0;
tracing_child = 0;
}
}
}
}
