def new_proc(pid, pgd, name):
'''
Process creation callback. Receives 3 parameters:
:param pid: The pid of the process
:type pid: int
:param pgd: The PGD of the process
:type pgd: int
:param name: The name of the process
:type name: str
'''
global pyrebox_print
global procs_created
global target_procname
global cm
global pgd_target
global process_is_created
pyrebox_print("New process created! pid: %x, pgd: %x, name: %s" %
(pid, pgd, name))
procs_created += 1
# For instance, we can start the shell whenever a process is created
if target_procname != "" and target_procname.lower() in name.lower():
pgd_target = pgd
# At this point, the process has been created, but
# the main module (and dlls) have not been loaded yet.
# We put a callback on the context changes, and wait for
# the process to start executing.
process_is_created = 1
# set monitor to target process
api.start_monitoring_process(pgd_target)
cm.add_callback(CallbackManager.CONTEXTCHANGE_CB,
functools.partial(context_change, pgd, name),
name="context_change")
def __new_process_callback(self, params):
"""
Called by the callback manager when a new process is created.
"""
pid = params["pid"]
pgd = params["pgd"]
name = params["name"]
try:
# If we already have a running agent, ignore it
if self.__status < GuestAgentPlugin.__AGENT_RUNNING:
# Use only the first 8 characters since the name could be truncated
if name is not None and name != "" and name in self.__agent_filename:
self.__agent_pgd = pgd
# Monitor context change to check we can get the base address
# for the process main module
self.__cb.add_callback(api.CallbackManager.CONTEXTCHANGE_CB, functools.partial(
self.__context_change_callback, pgd, name), name="context_change_guest_agent")
self.__cb.add_callback(
api.CallbackManager.OPCODE_RANGE_CB, self.__opcode_range_callback,
name="host_file_plugin_opcode_range",
start_opcode=0x13f,
end_opcode=0x13f)
api.start_monitoring_process(pgd)
self.__status = GuestAgentPlugin.__AGENT_RUNNING
except Exception as e:
self.__printer("Exception occurred on create process callback: %s" % str(e))
def module_entry_point(params):
'''
Callback on the entry point of the main module being monitored
'''
global cm
global entry_point_bp
from api import CallbackManager
import api
# Get pameters
cpu_index = params["cpu_index"]
cpu = params["cpu"]
# Disable the entrypoint
entry_point_bp.disable()
# Get running process
pgd = api.get_running_process(cpu_index)
# Start monitoring process
api.start_monitoring_process(pgd)
pyrebox_print("Started monitoring process")
# Call all our internal callbacks
for cb in entry_point_callbacks:
cb(params)
def __new_process_callback(self, params):
"""
Called by the callback manager when a new process is created.
"""
pid = params["pid"]
pgd = params["pgd"]
name = params["name"]
try:
# If we already have a running agent, ignore it
if self.__status < GuestAgentPlugin.__AGENT_RUNNING:
# Use only the first 8 characters since the name could be truncated
if name is not None and name != "" and name in self.__agent_filename:
self.__agent_pgd = pgd
# Monitor context change to check we can get the base address
# for the process main module
self.__cb.add_callback(api.CallbackManager.CONTEXTCHANGE_CB, functools.partial(
self.__context_change_callback, pgd, name), name="context_change_guest_agent")
self.__cb.add_callback(
api.CallbackManager.OPCODE_RANGE_CB, self.__opcode_range_callback,
name="host_file_plugin_opcode_range",
start_opcode=0x13f,
end_opcode=0x13f)
api.start_monitoring_process(pgd)
self.__status = GuestAgentPlugin.__AGENT_RUNNING
except Exception as e:
self.__printer("Exception occurred on create process callback: %s" % str(e))
def mw_monitor_start_monitoring_process(new_proc, insert_proc=True):
'''
This function sets up all the callbacks and structures
necessary to monitor a process.
:param new_proc: The process to start monitoring as a instance of Process
:type new_proc: Process
:param insert_proc: (Optional) Whether to insert the process in the list of
monitored processes (internal to this script).
:type insert_proc: bool
'''
from coverage import block_executed
from api_tracer import apitracer_start_monitoring_process
from dumper import dumper_start_monitoring_process
from api import CallbackManager
import api
# Insert the process, if necessary
if insert_proc:
mwmon.data.procs.append(new_proc)
# Start monitoring the process
api.start_monitoring_process(new_proc.get_pgd())
mwmon.printer("Started monitoring process with PGD %x and name %s" %
(new_proc.get_pgd(), new_proc.get_proc_name()))
# coverage module
# Create a callback and trigger for each process
if mwmon.coverage and (mwmon.coverage_procs is None
or new_proc.proc_name in mwmon.coverage_procs):
mwmon.cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,
functools.partial(block_executed, proc=new_proc),
name="block_begin_coverage_%d" %
new_proc.proc_num)
mwmon.cm.add_trigger("block_begin_coverage_%d" % new_proc.proc_num,
"triggers/trigger_block_user_only_coverage.so")
mwmon.cm.set_trigger_var(
"block_begin_coverage_%d" % (new_proc.proc_num), "cr3",
new_proc.get_pgd())
mwmon.cm.set_trigger_var(
"block_begin_coverage_%d" % (new_proc.proc_num), "proc_num",
new_proc.proc_num)
# Output file name, with pid
mwmon.cm.set_trigger_var(
"block_begin_coverage_%d" % (new_proc.proc_num), "log_name",
mwmon.coverage_log_name + ".%x" % (new_proc.pid))
# api tracer module
if mwmon.api_tracer and (mwmon.api_tracer_procs is None
or new_proc.proc_name in mwmon.api_tracer_procs):
apitracer_start_monitoring_process(new_proc)
# dumper module
if mwmon.dumper:
dumper_start_monitoring_process(new_proc)
mwmon.cm.add_callback(CallbackManager.CONTEXTCHANGE_CB,
functools.partial(context_change, new_proc,
new_proc.get_proc_name()),
name="context_change_%x" % new_proc.get_pgd())
def module_entry_point(params):
'''
Callback on the entry point of the main module being monitored
'''
global cm
global UNPACKER_LOG_PATH
global UNPACKER_DUMP_PATH
global pyrebox_print
global ntdll_space
from api import CallbackManager
import api
# Get pameters
cpu_index = params["cpu_index"]
cpu = params["cpu"]
# Get running process
pgd = api.get_running_process(cpu_index)
pyrebox_print("Reached entry point of new process: %x" % pgd)
# Add memory write / memory execute callbacks, and their triggers
cm.add_callback(CallbackManager.MEM_WRITE_CB,
mem_write,
name="mem_write_%x" % pgd)
cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,
block_exec,
name="block_begin_%x" % pgd)
cm.add_trigger("mem_write_%x" % pgd, "triggers/trigger_memwrite_wx.so")
cm.set_trigger_var("mem_write_%x" % pgd, "begin", 0x0)
if TARGET_LONG_SIZE == 4:
cm.set_trigger_var("mem_write_%x" % pgd, "end", 0x80000000)
else:
cm.set_trigger_var("mem_write_%x" % pgd, "end", 0x000007FFFFFFFFFF)
cm.set_trigger_var("mem_write_%x" % pgd, "pgd", pgd)
cm.add_trigger("block_begin_%x" % pgd, "triggers/trigger_blockbegin_wx.so")
cm.set_trigger_var("block_begin_%x" % pgd, "begin", 0x0)
if TARGET_LONG_SIZE == 4:
cm.set_trigger_var("block_begin_%x" % pgd, "end", 0x80000000)
else:
cm.set_trigger_var("block_begin_%x" % pgd, "end", 0x000007FFFFFFFFFF)
cm.set_trigger_var("block_begin_%x" % pgd, "pgd", pgd)
# Start monitoring process
api.start_monitoring_process(pgd)
# Create a dump, on process entry point for every process
generate_dump(pgd, "Dump at process entry point for PGD 0x%x" % pgd)
# Get the address space for ntdll
for mod in api.get_module_list(pgd):
if "ntdll.dll" in mod["name"].lower():
ntdll_space = (mod["base"], mod["size"])
def mw_monitor_start_monitoring_process(new_proc, insert_proc=True):
'''
This function sets up all the callbacks and structures
necessary to monitor a process.
:param new_proc: The process to start monitoring as a instance of Process
:type new_proc: Process
:param insert_proc: (Optional) Whether to insert the process in the list of
monitored processes (internal to this script).
:type insert_proc: bool
'''
from coverage import block_executed
from api_tracer import apitracer_start_monitoring_process
from dumper import dumper_start_monitoring_process
from api import CallbackManager
import api
# Insert the process, if necessary
if insert_proc:
mwmon.data.procs.append(new_proc)
# Start monitoring the process
api.start_monitoring_process(new_proc.get_pgd())
mwmon.printer("Started monitoring process with PGD %x and name %s" %
(new_proc.get_pgd(),
new_proc.get_proc_name()))
# coverage module
# Create a callback and trigger for each process
if mwmon.coverage and (mwmon.coverage_procs is None or new_proc.proc_name in mwmon.coverage_procs):
mwmon.cm.add_callback(CallbackManager.BLOCK_BEGIN_CB, functools.partial(
block_executed, proc=new_proc), name="block_begin_coverage_%d" % new_proc.proc_num)
mwmon.cm.add_trigger("block_begin_coverage_%d" %
new_proc.proc_num, "triggers/trigger_block_user_only_coverage.so")
mwmon.cm.set_trigger_var("block_begin_coverage_%d" %
(new_proc.proc_num), "cr3", new_proc.get_pgd())
mwmon.cm.set_trigger_var("block_begin_coverage_%d" %
(new_proc.proc_num), "proc_num", new_proc.proc_num)
# Output file name, with pid
mwmon.cm.set_trigger_var("block_begin_coverage_%d" %
(new_proc.proc_num), "log_name", mwmon.coverage_log_name + ".%x" % (new_proc.pid))
# api tracer module
if mwmon.api_tracer and (mwmon.api_tracer_procs is None or new_proc.proc_name in mwmon.api_tracer_procs):
apitracer_start_monitoring_process(new_proc)
# dumper module
if mwmon.dumper:
dumper_start_monitoring_process(new_proc)
mwmon.cm.add_callback(CallbackManager.CONTEXTCHANGE_CB,
functools.partial(context_change, new_proc, new_proc.get_proc_name()),
name="context_change_%x" % new_proc.get_pgd())
def ep_hit(cpu_index, cpu):
global target_pgd
api.start_monitoring_process(target_pgd)
simbols = api.get_symbol_list(target_pgd)
for sim in simbols:
if sim["name"] == "GetDiskFreeSpaceExW" or sim[
"name"] == "GetDiskFreeSpaceExA":
pyrebox_print("found! %s" % sim["addr"])
cm.add_callback(CallbackManager.INSN_BEGIN_CB,
GetFreeSpaceCalled,
addr=sim["addr"],
pgd=target_pgd)
start_shell()
def new_process_created(pid, pgd, name):
global process_is_created
global cm
global target_pgd
global sample_name
global pyrebox_print
if name == sample_name:
target_pgd = pgd
process_is_created = 1
pyrebox_print("[*] Process created")
api.start_monitoring_process(target_pgd)
cm.add_callback(CallbackManager.CONTEXTCHANGE_CB,
functools.partial(context_change, pgd, name),
name="context_change")
cm.rm_callback("vmi_new_proc")
def module_entry_point(params):
'''
Callback on the entry point of the main module being monitored
'''
global cm
global entry_point_bp
global UNPACKER_LOG_PATH
global UNPACKER_DUMP_PATH
from api import CallbackManager
import api
# Get pameters
cpu_index = params["cpu_index"]
cpu = params["cpu"]
# Get running process
pgd = api.get_running_process(cpu_index)
# Add memory write / memory execute callbacks, and their triggers
cm.add_callback(CallbackManager.MEM_WRITE_CB, mem_write, name="mem_write")
cm.add_callback(CallbackManager.BLOCK_BEGIN_CB,
block_exec,
name="block_begin")
cm.add_trigger("mem_write", "triggers/trigger_memwrite_wx.so")
cm.set_trigger_var("mem_write", "begin", 0x0)
if TARGET_LONG_SIZE == 4:
cm.set_trigger_var("mem_write", "end", 0x80000000)
else:
cm.set_trigger_var("mem_write", "end", 0x000007FFFFFFFFFF)
cm.set_trigger_var("mem_write", "pgd", pgd)
cm.add_trigger("block_begin", "triggers/trigger_blockbegin_wx.so")
cm.set_trigger_var("block_begin", "begin", 0x0)
if TARGET_LONG_SIZE == 4:
cm.set_trigger_var("block_begin", "end", 0x80000000)
else:
cm.set_trigger_var("block_begin", "end", 0x000007FFFFFFFFFF)
cm.set_trigger_var("block_begin", "pgd", pgd)
# Start monitoring process
api.start_monitoring_process(pgd)
pyrebox_print("Started monitoring process")
def new_proc(pid, pgd, name):
global cm
global target_procname
global pyrebox_print
import api
if target_procname is not None and target_procname in name.lower():
pyrebox_print("Started monitoring process %s" % name)
cm.add_trigger("mem_write", "triggers/trigger_memwrite_wx.so")
cm.set_trigger_var("mem_write", "begin", 0x0)
cm.set_trigger_var("mem_write", "end", 0x80000000)
cm.set_trigger_var("mem_write", "pgd", pgd)
cm.add_trigger("block_begin", "triggers/trigger_blockbegin_wx.so")
cm.set_trigger_var("block_begin", "begin", 0x0)
cm.set_trigger_var("block_begin", "end", 0x80000000)
cm.set_trigger_var("block_begin", "pgd", pgd)
api.start_monitoring_process(pgd)
def new_proc(params):
global cm
global target_procname
global target_pgd
global pyrebox_print
import api
pid = params["pid"]
pgd = params["pgd"]
name = params["name"]
if target_procname is not None and target_procname in name.lower():
pyrebox_print("Started monitoring process %s" % name)
cm.add_trigger(
"block_begin",
"exploit_detect/trigger_block_begin_shellcode_detect.so")
cm.set_trigger_var("block_begin", "pgd", pgd)
cm.set_trigger_var("block_begin", "shift", 0x1000)
api.start_monitoring_process(pgd)
target_pgd = pgd
def module_entry_point(params):
'''
Callback on the entry point of the main module being monitored
'''
global cm
global entry_point_bp
from api import CallbackManager
import api
import functools
from ipython_shell import start_shell
# Get pameters
cpu_index = params["cpu_index"]
cpu = params["cpu"]
# Disable the entrypoint
entry_point_bp.disable()
# Get running process
pgd = api.get_running_process(cpu_index)
#E8 cw CALL rel16 Call near, relative, displacement relative to next instruction
#E8 cd CALL rel32 Call near, relative, displacement relative to next instruction
#FF /2 CALL r/m16 Call near, absolute indirect, address given in r/m16
#FF /2 CALL r/m32 Call near, absolute indirect, address given in r/m32
#9A cd CALL ptr16:16 Call far, absolute, address given in operand
#9A cp CALL ptr16:32 Call far, absolute, address given in operand
#FF /3 CALL m16:16 Call far, absolute indirect, address given in m16:16
#FF /3 CALL m16:32 Call far, absolute indirect, address given in m16:32
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(opcode_range, "call_e8"),
name="call_e8",
start_opcode=0xE8,
end_opcode=0xE8)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(opcode_range, "call_ff"),
name="call_ff",
start_opcode=0xFF,
end_opcode=0xFF)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(opcode_range, "call_9a"),
name="call_9a",
start_opcode=0x9A,
end_opcode=0x9A)
#C3 RET NP Valid Valid Near return to calling procedure.
#CB RET NP Valid Valid Far return to calling procedure.
#C2 iw RET imm16 I Valid Valid Near return to calling procedure and pop imm16 bytes from stack.
#CA iw RET imm16 I Valid Valid Far return to calling procedure and pop imm16 bytes from stack.
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(opcode_range, "ret_c3"),
name="ret_c3",
start_opcode=0xC3,
end_opcode=0xC3)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(opcode_range, "ret_cb"),
name="ret_cb",
start_opcode=0xCB,
end_opcode=0xCB)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(opcode_range, "ret_c2"),
name="ret_c2",
start_opcode=0xC2,
end_opcode=0xC2)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(opcode_range, "ret_ca"),
name="ret_ca",
start_opcode=0xCA,
end_opcode=0xCA)
cm.add_trigger("call_e8", "exploit_detect/trigger_shadow_stack.so")
cm.set_trigger_var("call_e8", "pgd", pgd)
cm.set_trigger_var("call_e8", "thread_independent", 0)
cm.add_trigger("call_ff", "exploit_detect/trigger_shadow_stack.so")
cm.set_trigger_var("call_ff", "pgd", pgd)
cm.set_trigger_var("call_ff", "thread_independent", 0)
cm.add_trigger("call_9a", "exploit_detect/trigger_shadow_stack.so")
cm.set_trigger_var("call_9a", "pgd", pgd)
cm.set_trigger_var("call_9a", "thread_independent", 0)
cm.add_trigger("ret_c3", "exploit_detect/trigger_shadow_stack.so")
cm.set_trigger_var("ret_c3", "pgd", pgd)
cm.set_trigger_var("ret_c3", "thread_independent", 0)
cm.add_trigger("ret_cb", "exploit_detect/trigger_shadow_stack.so")
cm.set_trigger_var("ret_cb", "pgd", pgd)
cm.set_trigger_var("ret_cb", "thread_independent", 0)
cm.add_trigger("ret_c2", "exploit_detect/trigger_shadow_stack.so")
cm.set_trigger_var("ret_c2", "pgd", pgd)
cm.set_trigger_var("ret_c2", "thread_independent", 0)
cm.add_trigger("ret_ca", "exploit_detect/trigger_shadow_stack.so")
cm.set_trigger_var("ret_ca", "pgd", pgd)
cm.set_trigger_var("ret_ca", "thread_independent", 0)
pyrebox_print("Started monitoring process")
# Start monitoring process
api.start_monitoring_process(pgd)
def module_entry_point(params):
'''
Callback on the entry point of the main module being monitored
'''
global APITRACER_ANTI_STOLEN
global APITRACER_ENABLE_JMP
global APITRACER_ENABLE_RET
global cm
global pyrebox_print
import os
from api import CallbackManager
import api
from interproc import interproc_data
# Get pameters
cpu_index = params["cpu_index"]
cpu = params["cpu"]
# Get running process
pgd = api.get_running_process(cpu_index)
new_proc = interproc_data.get_process_by_pgd(pgd)
pid = new_proc.get_pid()
pyrebox_print("Initializing API tracer for process %x" % pgd)
cb_func = functools.partial(opcodes, proc=new_proc)
#E8 cw CALL rel16 Call near, relative, displacement relative to next instruction
#E8 cd CALL rel32 Call near, relative, displacement relative to next instruction
#FF /2 CALL r/m16 Call near, absolute indirect, address given in r/m16
#FF /2 CALL r/m32 Call near, absolute indirect, address given in r/m32
#9A cd CALL ptr16:16 Call far, absolute, address given in operand
#9A cp CALL ptr16:32 Call far, absolute, address given in operand
#FF /3 CALL m16:16 Call far, absolute indirect, address given in m16:16
#FF /3 CALL m16:32 Call far, absolute indirect, address given in m16:32
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="call_e8_%x" % pid),
name="call_e8_%x" % pid,
start_opcode=0xE8,
end_opcode=0xE8)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="call_ff_%x" % pid),
name="call_ff_%x" % pid,
start_opcode=0xFF,
end_opcode=0xFF)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="call_9a_%x" % pid),
name="call_9a_%x" % pid,
start_opcode=0x9A,
end_opcode=0x9A)
cm.add_trigger("call_e8_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("call_e8_%x" % pid, "pgd", pgd)
cm.set_trigger_var("call_e8_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
cm.add_trigger("call_ff_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("call_ff_%x" % pid, "pgd", pgd)
cm.set_trigger_var("call_ff_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
cm.add_trigger("call_9a_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("call_9a_%x" % pid, "pgd", pgd)
cm.set_trigger_var("call_9a_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
#C3 RET NP Valid Valid Near return to calling procedure.
#CB RET NP Valid Valid Far return to calling procedure.
#C2 iw RET imm16 I Valid Valid Near return to calling procedure and pop imm16 bytes from stack.
#CA iw RET imm16 I Valid Valid Far return to calling procedure and pop imm16 bytes from stack.
if APITRACER_ENABLE_RET:
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="ret_c3_%x" % pid),
name="ret_c3_%x" % pid,
start_opcode=0xC3,
end_opcode=0xC3)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="ret_cb_%x" % pid),
name="ret_cb_%x" % pid,
start_opcode=0xCB,
end_opcode=0xCB)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="ret_c2_%x" % pid),
name="ret_c2_%x" % pid,
start_opcode=0xC2,
end_opcode=0xC2)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="ret_ca_%x" % pid),
name="ret_ca_%x" % pid,
start_opcode=0xCA,
end_opcode=0xCA)
cm.add_trigger("ret_c3_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("ret_c3_%x" % pid, "pgd", pgd)
cm.set_trigger_var("ret_c3_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
cm.add_trigger("ret_cb_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("ret_cb_%x" % pid, "pgd", pgd)
cm.set_trigger_var("ret_cb_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
cm.add_trigger("ret_c2_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("ret_c2_%x" % pid, "pgd", pgd)
cm.set_trigger_var("ret_c2_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
cm.add_trigger("ret_ca_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("ret_ca_%x" % pid, "pgd", pgd)
cm.set_trigger_var("ret_ca_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
#EB cb JMP rel8 Jump short, RIP = RIP + 8-bit displacement sign extended to 64-bits
#E9 cw JMP rel16 Jump near, relative, displacement relative to next instruction. Not supported in 64-bit mode.
#E9 cd JMP rel32 Jump near, relative, RIP = RIP + 32-bit displacement sign extended to 64-bits
#FF /4 JMP r/m16 Jump near, absolute indirect, address = zeroextended r/m16. Not supported in 64-bit mode.
#FF /4 JMP r/m32 Jump near, absolute indirect, address given in r/m32. Not supported in 64-bit mode.
#FF /4 JMP r/m64 Jump near, absolute indirect, RIP = 64-Bit offset from register or memory
#EA cd JMP ptr16:16 Jump far, absolute, address given in operand
#EA cp JMP ptr16:32 Jump far, absolute, address given in operand
#FF /5 JMP m16:16 Jump far, absolute indirect, address given in m16:16
#FF /5 JMP m16:32 Jump far, absolute indirect, address given in m16:32.
#FF /5 JMP m16:64 Jump far, absolute indirect, address given in m16:64
if APITRACER_ENABLE_JMP:
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="jmp_e9_%x" % pid),
name="jmp_e9_%x" % pid,
start_opcode=0xE9,
end_opcode=0xE9)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="jmp_ea_%x" % pid),
name="jmp_ea_%x" % pid,
start_opcode=0xEA,
end_opcode=0xEA)
cm.add_callback(CallbackManager.OPCODE_RANGE_CB,
functools.partial(cb_func, cb_name="jmp_eb_%x" % pid),
name="jmp_eb_%x" % pid,
start_opcode=0xEB,
end_opcode=0xEB)
cm.add_trigger("jmp_e9_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("jmp_e9_%x" % pid, "pgd", pgd)
cm.set_trigger_var("jmp_e9_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
cm.add_trigger("jmp_ea_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("jmp_ea_%x" % pid, "pgd", pgd)
cm.set_trigger_var("jmp_ea_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
cm.add_trigger("jmp_eb_%x" % pid,
"mw_monitor2/trigger_jmp_call_ret_tracer.so")
cm.set_trigger_var("jmp_eb_%x" % pid, "pgd", pgd)
cm.set_trigger_var("jmp_eb_%x" % pid, "enable_ff_jmp",
1 if APITRACER_ENABLE_JMP else 0)
# Start monitoring process
api.start_monitoring_process(pgd)
