Comments (8)
Take a look at https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L567. That's where you would need to inject the traps for a specific pid.
from drakvuf.
Keep in mind though that you will need a lot more then just modifying that code - you would need to generate, read and store the Rekall profile of every library/executable you want to inject traps into. Right now this is only done for one Rekall profile that is for the kernel.
from drakvuf.
After generating all the rekall profile for user-level libraries such as ntdll, wininet,ws2_32, how can I put traps to these libraries? As inject_traps works by loop the kernel module list, however these libraries are not in kernel mode so they cannot be located just as ntoskrnl in https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L508.
Despite of that, I forcibly executed inject_traps_modules for the specified pid and there are several problems:
- How to combine the profile of different libraries into one? I tried to merge the same class into one, such as add the $CONSTAINTS of kernel32.dll profile into ntoskrnl.exe profile. But these remains two prolbems: first, the $METADATA of different profiles are almostly the same and hard to merge into one; secondly, the output of the sym_config name will all be ntoskrnl.exe in my condition which doesn't represent the actual library name
- I've add a pid item into clone structure to specify the process I want to trap. I removed the comments at https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L567. But I think inject_traps_pe is a sub process of inject_traps_modules. How can inject_traps_pe works without the dllbase set as ImageBaseAddress and sym_config set as NULL? So I removed https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L569 and the constrain at https://github.com/tklengyel/drakvuf/blob/master/src/vmi.c#L508 to enable trap to pids besides pid 0 (system) and modules besides ntoskrnl.exe. But the outputs seem awkward with a lot of write memaccess event happened but no int3 event, even it is set in clone_vmi_thread.
Adding support of trapping specified process seems troublesome, but it's really needed in practical applications. Hope Your Comment
from drakvuf.
The modified code and testing results are listed in https://github.com/allewwaly/new-drakvuf/tree/master/src, with result4 being the latest result of the current code.
from drakvuf.
problem is done and the new drakvuf is updated at https://github.com/allewwaly/new-drakvuf
from drakvuf.
If you are interested in getting your code merged back into mainline drakvuf please open a PR. I'm sure others would be interested in using the extended feature set!
from drakvuf.
I have installed DRAKVUF from http://drakvuf.com/ .
I want to add a support to trap specific process and user level functions. How to add DRAKVUF update given at link https://github.com/allewwaly/new-drakvuf in my existing set up.
from drakvuf.
That fork is not compatible with the current version of DRAKVUF and will no not be merged in its current form. Support for this is planned to be added in the future but it's still just in the planning phase.
from drakvuf.
Related Issues (20)
- Error in running windows7-sp1.json HOT 6
- Request - add support for MSI files
- What IDE should be used for drakvuf? HOT 1
- Hooks on nested functions are broken HOT 2
- mount /dev/mapper/vg0-win7 to /mnt error HOT 2
- vmi-win-guid name out print is NULL
- Virtualization problem
- interception specify process
- Format code with clang-format and clang-tidy HOT 1
- apimon doesn't work after 9/1's commit HOT 3
- Plugin etwmon startup failed! HOT 2
- Unable to control mouse in Win7 when drakvuf is running HOT 1
- [LIBHOOK] makes the xen virtual machine hang HOT 8
- How to automated batch analysis HOT 1
- trace powershell behavior with apimon
- drakvuf meson and ninja-injector linking build errors HOT 4
- How to exit a running drakvuf HOT 1
- How to obtain the value of a handle
- Injector sometimes hangs while injecting commands into explorer HOT 3
- avx instruction not support HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drakvuf.