static event_response_t file_name_cb(drakvuf_t drakvuf, drakvuf_trap_info_t *info) {
vmi_instance_t vmi = drakvuf_lock_and_get_vmi(drakvuf);
struct file_watch *watch = (struct file_watch*)info->trap->data;
filetracer *f = watch->f;
if (info->trap_pa == watch->file_name_buffer)
{
addr_t file_name = 0;
uint16_t length = 0;
vmi_read_addr_pa(vmi, watch->file_name_buffer, &file_name);
vmi_read_16_pa(vmi, watch->file_name_length, &length);
//printf("File name @ 0x%lx. Length: %u\n", file_name, length);
if (file_name && length > 0 && length < VMI_PS_4KB) {
char *procname = drakvuf_get_current_process_name(drakvuf, info->vcpu, info->regs);
unicode_string_t str = { .contents = NULL };
str.length = length;
str.encoding = "UTF-16";
str.contents = (unsigned char *)g_malloc0(length);
vmi_read_va(vmi, file_name, 0, str.contents, length);
unicode_string_t str2 = { .contents = NULL };
status_t rc = vmi_convert_str_encoding(&str, &str2, "UTF-8");
if (VMI_SUCCESS == rc) {
switch(f->format) {
case OUTPUT_CSV:
printf("filetracer,%" PRIu32 ",0x%" PRIx64 ",%s,%s\n",
info->vcpu, info->regs->cr3, procname, str2.contents);
break;
default:
case OUTPUT_DEFAULT:
printf("[FILETRACER] VCPU:%" PRIu32 " CR3:0x%" PRIx64 ",%s %s\n",
info->vcpu, info->regs->cr3, procname, str2.contents);
break;
};
g_free(str2.contents);
}
free(str.contents);
free(procname);
//printf("Requesting to free writetrap @ %p\n", info->trap);
info->trap->data=f;
drakvuf_remove_trap(drakvuf, info->trap, free_writetrap);
}
void pluginex::destroy_trap(drakvuf_t drakvuf, drakvuf_trap_t* trap)
{
m_params = g_slist_remove(m_params, trap);
drakvuf_remove_trap(drakvuf, trap, destroy_plugin_params);
}
