예제 #1
0
def add_module_monitoring_hooks(pgd):
    ''' 
    Adds initial set of breakpoints for a given process, so that
    we can detect when a new module is inserted, or a module is
    removed from any of its linked lists.
    '''
    from api import BP
    import api
    from vmi import update_modules
    import functools
    from utils import pp_error

    if pgd not in module_load_remove_breakpoints:
        module_load_remove_breakpoints[pgd] = {}

    # Update the module list for this pgd
    hooking_points = update_modules(pgd)

    if hooking_points is not None:
        # Add the BPW breakpoints
        for module_base, addr, size in hooking_points:
            haddr = api.va_to_pa(pgd, addr)
            bp = BP(haddr,
                    None,
                    size=size,
                    typ=BP.MEM_WRITE_PHYS,
                    func=functools.partial(module_change_callback, pgd, addr,
                                           haddr),
                    new_style=True)
            module_load_remove_breakpoints[pgd][(module_base, addr, size)] = bp
            bp.enable()
    else:
        pp_error(
            "Could not set initial list of breakpoints for module monitoring: %x"
            % pgd)
예제 #2
0
def add_module_monitoring_hooks(pgd):
    ''' 
    Adds initial set of breakpoints for a given process, so that
    we can detect when a new module is inserted, or a module is
    removed from any of its linked lists.
    '''
    from api import BP
    import api
    from vmi import update_modules
    import functools
    from utils import pp_error

    if pgd not in module_load_remove_breakpoints:
        module_load_remove_breakpoints[pgd] = {}

    # Update the module list for this pgd
    hooking_points = update_modules(pgd)

    if hooking_points is not None:
        # Add the BPW breakpoints
        for module_base, addr, size in hooking_points:
            haddr = api.va_to_pa(pgd, addr)
            bp = BP(haddr, 
                    None, 
                    size = size, 
                    typ = BP.MEM_WRITE_PHYS,
                    func = functools.partial(module_change_callback, pgd, addr, haddr),
                    new_style = True)
            module_load_remove_breakpoints[pgd][(module_base, addr, size)] = bp
            bp.enable()
    else:
        pp_error("Could not set initial list of breakpoints for module monitoring: %x" % pgd)
예제 #3
0
def module_change_callback(pgd, bp_vaddr, bp_haddr, cpu_index, vaddr, size, haddr, data):
    '''
    Callback function triggered whenever there is a change in the list of linked
    modules for a given process.
 
    Updates the module list for that PGD (or kernel).
    ''' 
    import functools
    import struct
    import api
    from api import BP
    from vmi import update_modules
    from utils import pp_error
    from vmi import set_modules_non_present
    from vmi import clean_non_present_modules

    # First, we check if the memory address written points to a module
    # that we have already detected (it is in our list of hooking points).
    # In this way we avoid triggering one update operation for every
    # modified pointer (inserting a module requires to change several
    # pointers, due to the different linked lists).
   
    # Return if it points inside a module that we have already added to our list
    for module_base, hook_addr, hook_size in module_load_remove_breakpoints[pgd]:
        if data >= module_base and data < (hook_addr + hook_size):
            return

    hooking_points = update_modules(pgd)

    if hooking_points is not None:
        # Update hooking points
        # 1) Remove the breakpoints not used anymore
        bps_to_remove = []
        for hp in module_load_remove_breakpoints[pgd]:
            if hp not in hooking_points:
                bps_to_remove.append(hp)

        for hp in bps_to_remove:
            module_load_remove_breakpoints[pgd][hp].disable()
            del module_load_remove_breakpoints[pgd][hp]

        # 2) Add new breakpoints
        for hp in hooking_points:
            if hp not in module_load_remove_breakpoints[pgd]:
                 module_base, addr, size = hp
                 haddr = api.va_to_pa(pgd, addr)
                 bp = BP(haddr,
                         None,
                         size = size,
                         typ = BP.MEM_WRITE_PHYS,
                         func = functools.partial(module_change_callback, pgd, addr, haddr))
                 module_load_remove_breakpoints[pgd][hp] = bp
                 bp.enable()
    else:
        # Just remove all the  modules for the process
        # Mark all modules as non-present
        set_modules_non_present(None, pgd)
        # Remove all the modules that are not marked as present
        clean_non_present_modules(None, pgd)
예제 #4
0
def module_change_callback(pgd, bp_vaddr, bp_haddr, params):
    '''
    Callback function triggered whenever there is a change in the list of linked
    modules for a given process.
 
    Updates the module list for that PGD (or kernel).
    ''' 
    import functools
    import struct
    import api
    from api import BP
    from vmi import update_modules
    from utils import pp_error
    from vmi import set_modules_non_present
    from vmi import clean_non_present_modules

    cpu_index = params["cpu_index"]
    vaddr = params["vaddr"]
    size = params["size"]
    haddr = params["haddr"]
    data = params["data"]

    # First, we check if the memory address written points to a module
    # that we have already detected (it is in our list of hooking points).
    # In this way we avoid triggering one update operation for every
    # modified pointer (inserting a module requires to change several
    # pointers, due to the different linked lists).
   
    # Return if it points inside a module that we have already added to our list
    for module_base, hook_addr, hook_size in module_load_remove_breakpoints[pgd]:
        if data >= module_base and data < (hook_addr + hook_size):
            return

    hooking_points = update_modules(pgd)

    if hooking_points is not None:
        # Update hooking points
        # 1) Remove the breakpoints not used anymore
        bps_to_remove = []
        for hp in module_load_remove_breakpoints[pgd]:
            if hp not in hooking_points:
                bps_to_remove.append(hp)

        for hp in bps_to_remove:
            module_load_remove_breakpoints[pgd][hp].disable()
            del module_load_remove_breakpoints[pgd][hp]

        # 2) Add new breakpoints
        for hp in hooking_points:
            if hp not in module_load_remove_breakpoints[pgd]:
                 module_base, addr, size = hp
                 haddr = api.va_to_pa(pgd, addr)
                 bp = BP(haddr,
                         None,
                         size = size,
                         typ = BP.MEM_WRITE_PHYS,
                         func = functools.partial(module_change_callback, pgd, addr, haddr),
                         new_style = True)
                 module_load_remove_breakpoints[pgd][hp] = bp
                 bp.enable()
    else:
        # Just remove all the  modules for the process
        # Mark all modules as non-present
        set_modules_non_present(None, pgd)
        # Remove all the modules that are not marked as present
        clean_non_present_modules(None, pgd)