Skip to content

Commit

Permalink
Support for adding traps into processes with drakvuf_trap_t
Browse files Browse the repository at this point in the history
  • Loading branch information
@tklengyel
tklengyel committed Mar 30, 2016
1 parent 65b9998 commit 68dfc6d
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 18 deletions.
59 changes: 50 additions & 9 deletions src/libdrakvuf/drakvuf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,18 +179,59 @@ bool drakvuf_add_trap(drakvuf_t drakvuf, drakvuf_trap_t *trap) {
goto done;
}

if(trap->lookup_type == LOOKUP_PID && trap->u.pid == 4) {
if (trap->module) {
vmi_instance_t vmi = drakvuf->vmi;

// Loop kernel modules
addr_t kernel_list_head;
vmi_read_addr_ksym(vmi, "PsLoadedModuleList", &kernel_list_head);
ret = inject_traps_modules(drakvuf, trap, kernel_list_head, 4, "System");
if(trap->lookup_type == LOOKUP_PID || trap->lookup_type == LOOKUP_NAME) {
if (trap->addr_type == ADDR_RVA && trap->module) {

vmi_pid_t pid = ~0;
const char *name = NULL;
addr_t module_list = 0;

if(trap->u.pid == 4 || !strcmp(trap->u.proc, "System")) {
pid = 4;
name = "System";

if(VMI_FAILURE == vmi_read_addr_ksym(drakvuf->vmi, "PsLoadedModuleList", &module_list))
goto done;
} else {
/* Process library */
addr_t process_base;

if(trap->lookup_type == LOOKUP_PID)
pid = trap->u.pid;
if(trap->lookup_type == LOOKUP_NAME)
name = trap->u.proc;

if( !drakvuf_find_eprocess(drakvuf, pid, name, &process_base) )
goto done;

if(pid == ~0 && VMI_FAILURE == vmi_read_32_va(drakvuf->vmi, process_base + offsets[EPROCESS_PID], 0, (uint32_t*)&pid))
goto done;

if( !drakvuf_get_module_list(drakvuf, process_base, &module_list) )
goto done;
}

ret = inject_traps_modules(drakvuf, trap, module_list, pid);
}

goto done;
if(trap->addr_type == ADDR_VA) {
addr_t dtb = vmi_pid_to_dtb(drakvuf->vmi, trap->u.pid);
if(!dtb)
goto done;

addr_t trap_pa = vmi_pagetable_lookup(drakvuf->vmi, dtb, trap->u2.addr);
if(!trap_pa)
goto done;

ret = inject_trap_pa(drakvuf, trap, trap_pa);
goto done;
}

if(trap->addr_type == ADDR_PA) {
fprintf(stderr, "DRAKVUF Trap misconfiguration: PID lookup specified for PA location\n");
}
}

} else {
ret = inject_trap_mem(drakvuf, trap);
}
Expand Down
10 changes: 3 additions & 7 deletions src/libdrakvuf/vmi.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -697,17 +697,15 @@ bool inject_trap(drakvuf_t drakvuf,
bool inject_traps_modules(drakvuf_t drakvuf,
drakvuf_trap_t *trap,
addr_t list_head,
vmi_pid_t pid,
const char *name)

vmi_pid_t pid)
{
vmi_instance_t vmi = drakvuf->vmi;
addr_t next_module = list_head;

if (!trap)
return 0;

PRINT_DEBUG("Inject traps in module list of [%u]: %s\n", pid, name);
PRINT_DEBUG("Inject traps in module list of PID %u\n", pid);

while (1) {

Expand All @@ -718,9 +716,7 @@ bool inject_traps_modules(drakvuf_t drakvuf,
break;

addr_t dllbase = 0;
vmi_read_addr_va(vmi,
next_module + offsets[LDR_DATA_TABLE_ENTRY_DLLBASE], pid,
&dllbase);
vmi_read_addr_va(vmi, next_module + offsets[LDR_DATA_TABLE_ENTRY_DLLBASE], pid, &dllbase);

if (!dllbase)
break;
Expand Down
3 changes: 1 addition & 2 deletions src/libdrakvuf/vmi.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,8 +284,7 @@ bool inject_trap_pa(drakvuf_t drakvuf,
bool inject_traps_modules(drakvuf_t drakvuf,
drakvuf_trap_t *trap,
addr_t list_head,
vmi_pid_t pid,
const char *name);
vmi_pid_t pid);
void remove_trap(drakvuf_t drakvuf,
const drakvuf_trap_t *trap);

Expand Down

0 comments on commit 68dfc6d

Please sign in to comment.