Adding support to monitor specific process about drakvuf HOT 8 CLOSED

Take a look at https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L567. That's where you would need to inject the traps for a specific pid.

from drakvuf.

Keep in mind though that you will need a lot more then just modifying that code - you would need to generate, read and store the Rekall profile of every library/executable you want to inject traps into. Right now this is only done for one Rekall profile that is for the kernel.

from drakvuf.

After generating all the rekall profile for user-level libraries such as ntdll, wininet,ws2_32, how can I put traps to these libraries? As inject_traps works by loop the kernel module list, however these libraries are not in kernel mode so they cannot be located just as ntoskrnl in https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L508.

Despite of that, I forcibly executed inject_traps_modules for the specified pid and there are several problems:

1. How to combine the profile of different libraries into one? I tried to merge the same class into one, such as add the $CONSTAINTS of kernel32.dll profile into ntoskrnl.exe profile. But these remains two prolbems: first, the $METADATA of different profiles are almostly the same and hard to merge into one; secondly, the output of the sym_config name will all be ntoskrnl.exe in my condition which doesn't represent the actual library name
2. I've add a pid item into clone structure to specify the process I want to trap. I removed the comments at https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L567. But I think inject_traps_pe is a sub process of inject_traps_modules. How can inject_traps_pe works without the dllbase set as ImageBaseAddress and sym_config set as NULL? So I removed https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L569 and the constrain at https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L508 to enable trap to pids besides pid 0 (system) and modules besides ntoskrnl.exe. But the outputs seem awkward with a lot of write memaccess event happened but no int3 event, even it is set in clone_vmi_thread.

Adding support of trapping specified process seems troublesome, but it's really needed in practical applications. Hope Your Comment

from drakvuf.

The modified code and testing results are listed in https://github.com/allewwaly/new-drakvuf/tree/master/src, with result4 being the latest result of the current code.

from drakvuf.

problem is done and the new drakvuf is updated at https://github.com/allewwaly/new-drakvuf

from drakvuf.

If you are interested in getting your code merged back into mainline drakvuf please open a PR. I'm sure others would be interested in using the extended feature set!

from drakvuf.

I have installed DRAKVUF from http://drakvuf.com/ .

I want to add a support to trap specific process and user level functions. How to add DRAKVUF update given at link https://github.com/allewwaly/new-drakvuf in my existing set up.

from drakvuf.

That fork is not compatible with the current version of DRAKVUF and will no not be merged in its current form. Support for this is planned to be added in the future but it's still just in the planning phase.

from drakvuf.