def attach(self): self.log.info('attaching on %s', self.target_name) # VM must be running self.vmi.pause_vm() if self.full_system_mode: # no need to intercept a specific process regs = self.vmi.get_vcpuregs(0) self.target_dtb = regs[X86Reg.CR3] return cb_data = {'interrupted': False} def cb_on_cr3_load(vmi, event): pname = dtb_to_pname(vmi, event.cffi_event.reg_event.value) self.log.info('intercepted %s', pname) pattern = re.escape(self.target_name) if re.match(pattern, pname, re.IGNORECASE): vmi.pause_vm() self.target_dtb = event.cffi_event.reg_event.value self.target_pid = vmi.dtb_to_pid(self.target_dtb) cb_data['interrupted'] = True reg_event = RegEvent(X86Reg.CR3, RegAccess.W, cb_on_cr3_load) self.vmi.register_event(reg_event) self.vmi.resume_vm() while not cb_data['interrupted']: self.vmi.listen(1000) # clear queue self.vmi.listen(0) # clear event self.vmi.clear_event(reg_event)
def main(args): logging.basicConfig(level=logging.INFO) vm_name = args['<vm_name>'] # register SIGINT signal.signal(signal.SIGINT, signal_handler) # 1 - init LibVMI kvm_socket = { VMIInitData.KVMI_SOCKET: args['--kvmi-socket'] } if args['--kvmi-socket'] else None with Libvmi(vm_name, INIT_DOMAINNAME | INIT_EVENTS, init_data=kvm_socket, partial=True) as vmi: counter = Counter() # 2 - define CR3 callback def cr3_callback(vmi, event): cr3_value = event.value logging.info("CR3 change: %s", hex(cr3_value)) counter[hex(cr3_value)] += 1 # 3 - define and register CR3-write event with pause(vmi): # register CR3-write event reg_event = RegEvent(X86Reg.CR3, RegAccess.W, cr3_callback) vmi.register_event(reg_event) # 4 - listen for events for i in range(0, 100): vmi.listen(500) logging.info(counter)
def test_regaccess(vmiev): def callback(vmi, event): event.data['counter'] += 1 if event.data['counter'] == 1000: vmi.clear_event(event) event.data['interrupted'] = True event_data = {'interrupted': False, 'counter': 0} reg_event = RegEvent(X86Reg.CR3, RegAccess.W, callback, data=event_data) with pause(vmiev): vmiev.register_event(reg_event) while not event_data['interrupted']: vmiev.listen(500)
def attach(self): # 1 - pause to get a consistent memory access self.vmi.pause_vm() # 2 - find our target name in process list # process name might include regex chars pattern = re.escape(self.target_name) found = [ desc for desc in self.list_processes() if re.match(pattern, desc.name) ] if not found: logging.debug('%s not found in process list:', self.target_name) for desc in self.list_processes(): logging.debug(desc) raise RuntimeError('Could not find process') if len(found) > 1: logging.warning( 'Found %s processes matching "%s", picking the first match ([%s])', len(found), self.target_name, found[0].pid) self.target_desc = found[0] # 4 - wait for our process to be scheduled (CR3 load) cb_data = {'interrupted': False} def cb_on_cr3_load(vmi, event): found = [ desc for desc in self.list_processes() if desc.dtb == event.cffi_event.reg_event.value ] if not found: raise RuntimeError('Cannot find currently scheduled process') if len(found) > 2: raise RuntimeError('Found multiple tasks matching same DTB') desc = found[0] self.log.info('intercepted %s', desc.name) if desc.dtb == self.target_desc.dtb: vmi.pause_vm() cb_data['interrupted'] = True reg_event = RegEvent(X86Reg.CR3, RegAccess.W, cb_on_cr3_load) self.vmi.register_event(reg_event) self.vmi.resume_vm() while not cb_data['interrupted']: self.vmi.listen(1000) # clear queue self.vmi.listen(0) # clear event self.vmi.clear_event(reg_event)
def main(args): if len(args) != 2: print('./memaccess-event.py <vm_name>') return 1 vm_name = args[1] # register SIGINT signal.signal(signal.SIGINT, signal_handler) with Libvmi(vm_name, INIT_DOMAINNAME | INIT_EVENTS) as vmi: reg_event = RegEvent(X86Reg.CR3, RegAccess.W, callback) vmi.register_event(reg_event) # listen while not interrupted: print("Waiting for events") vmi.listen(3000) print("Stop listening")
def main(args): logging.basicConfig(level=logging.INFO) vm_name = args['<vm_name>'] # register SIGINT signal.signal(signal.SIGINT, signal_handler) kvm_socket = { VMIInitData.KVMI_SOCKET: args['--kvmi-socket'] } if args['--kvmi-socket'] else None with Libvmi(vm_name, INIT_DOMAINNAME | INIT_EVENTS, init_data=kvm_socket, partial=True) as vmi: msr_counter = Counter() def msr_callback(vmi, event): try: name = MSR_NAME[event.msr] except KeyError: name = 'MSR' logging.info("%s %s = %s", name, hex(event.msr), hex(event.value)) msr_counter[event.msr] += 1 # EternalBlue exploitation ? if msr_counter[0x176] > 1: logging.warn('MSR 0x176 modified %s times !', msr_counter[0x176]) with pause(vmi): # register MSR event reg_event = RegEvent(MSR.ALL, RegAccess.W, msr_callback) vmi.register_event(reg_event) logging.info("listening") while not interrupted: vmi.listen(500)