def attach(self):
self.log.info('attaching on %s', self.target_name)
# VM must be running
self.vmi.pause_vm()
if self.full_system_mode:
# no need to intercept a specific process
regs = self.vmi.get_vcpuregs(0)
self.target_dtb = regs[X86Reg.CR3]
return
cb_data = {'interrupted': False}
def cb_on_cr3_load(vmi, event):
pname = dtb_to_pname(vmi, event.cffi_event.reg_event.value)
self.log.info('intercepted %s', pname)
pattern = re.escape(self.target_name)
if re.match(pattern, pname, re.IGNORECASE):
vmi.pause_vm()
self.target_dtb = event.cffi_event.reg_event.value
self.target_pid = vmi.dtb_to_pid(self.target_dtb)
cb_data['interrupted'] = True
reg_event = RegEvent(X86Reg.CR3, RegAccess.W, cb_on_cr3_load)
self.vmi.register_event(reg_event)
self.vmi.resume_vm()
while not cb_data['interrupted']:
self.vmi.listen(1000)
# clear queue
self.vmi.listen(0)
# clear event
self.vmi.clear_event(reg_event)
def main(args):
logging.basicConfig(level=logging.INFO)
vm_name = args['<vm_name>']
# register SIGINT
signal.signal(signal.SIGINT, signal_handler)
# 1 - init LibVMI
kvm_socket = {
VMIInitData.KVMI_SOCKET: args['--kvmi-socket']
} if args['--kvmi-socket'] else None
with Libvmi(vm_name,
INIT_DOMAINNAME | INIT_EVENTS,
init_data=kvm_socket,
partial=True) as vmi:
counter = Counter()
# 2 - define CR3 callback
def cr3_callback(vmi, event):
cr3_value = event.value
logging.info("CR3 change: %s", hex(cr3_value))
counter[hex(cr3_value)] += 1
# 3 - define and register CR3-write event
with pause(vmi):
# register CR3-write event
reg_event = RegEvent(X86Reg.CR3, RegAccess.W, cr3_callback)
vmi.register_event(reg_event)
# 4 - listen for events
for i in range(0, 100):
vmi.listen(500)
logging.info(counter)
def test_regaccess(vmiev):
def callback(vmi, event):
event.data['counter'] += 1
if event.data['counter'] == 1000:
vmi.clear_event(event)
event.data['interrupted'] = True
event_data = {'interrupted': False, 'counter': 0}
reg_event = RegEvent(X86Reg.CR3, RegAccess.W, callback, data=event_data)
with pause(vmiev):
vmiev.register_event(reg_event)
while not event_data['interrupted']:
vmiev.listen(500)
def attach(self):
# 1 - pause to get a consistent memory access
self.vmi.pause_vm()
# 2 - find our target name in process list
# process name might include regex chars
pattern = re.escape(self.target_name)
found = [
desc for desc in self.list_processes()
if re.match(pattern, desc.name)
]
if not found:
logging.debug('%s not found in process list:', self.target_name)
for desc in self.list_processes():
logging.debug(desc)
raise RuntimeError('Could not find process')
if len(found) > 1:
logging.warning(
'Found %s processes matching "%s", picking the first match ([%s])',
len(found), self.target_name, found[0].pid)
self.target_desc = found[0]
# 4 - wait for our process to be scheduled (CR3 load)
cb_data = {'interrupted': False}
def cb_on_cr3_load(vmi, event):
found = [
desc for desc in self.list_processes()
if desc.dtb == event.cffi_event.reg_event.value
]
if not found:
raise RuntimeError('Cannot find currently scheduled process')
if len(found) > 2:
raise RuntimeError('Found multiple tasks matching same DTB')
desc = found[0]
self.log.info('intercepted %s', desc.name)
if desc.dtb == self.target_desc.dtb:
vmi.pause_vm()
cb_data['interrupted'] = True
reg_event = RegEvent(X86Reg.CR3, RegAccess.W, cb_on_cr3_load)
self.vmi.register_event(reg_event)
self.vmi.resume_vm()
while not cb_data['interrupted']:
self.vmi.listen(1000)
# clear queue
self.vmi.listen(0)
# clear event
self.vmi.clear_event(reg_event)
def main(args):
if len(args) != 2:
print('./memaccess-event.py <vm_name>')
return 1
vm_name = args[1]
# register SIGINT
signal.signal(signal.SIGINT, signal_handler)
with Libvmi(vm_name, INIT_DOMAINNAME | INIT_EVENTS) as vmi:
reg_event = RegEvent(X86Reg.CR3, RegAccess.W, callback)
vmi.register_event(reg_event)
# listen
while not interrupted:
print("Waiting for events")
vmi.listen(3000)
print("Stop listening")
def main(args):
logging.basicConfig(level=logging.INFO)
vm_name = args['<vm_name>']
# register SIGINT
signal.signal(signal.SIGINT, signal_handler)
kvm_socket = {
VMIInitData.KVMI_SOCKET: args['--kvmi-socket']
} if args['--kvmi-socket'] else None
with Libvmi(vm_name,
INIT_DOMAINNAME | INIT_EVENTS,
init_data=kvm_socket,
partial=True) as vmi:
msr_counter = Counter()
def msr_callback(vmi, event):
try:
name = MSR_NAME[event.msr]
except KeyError:
name = 'MSR'
logging.info("%s %s = %s", name, hex(event.msr), hex(event.value))
msr_counter[event.msr] += 1
# EternalBlue exploitation ?
if msr_counter[0x176] > 1:
logging.warn('MSR 0x176 modified %s times !',
msr_counter[0x176])
with pause(vmi):
# register MSR event
reg_event = RegEvent(MSR.ALL, RegAccess.W, msr_callback)
vmi.register_event(reg_event)
logging.info("listening")
while not interrupted:
vmi.listen(500)