def setupProject(project): IGNORE_SYSCALLS = set(( 2, 120, 190, # fork, clone, vfork 29, 72, # pause, sigsuspend (suspend until signal send) 88, # reboot 91, # munmap 113, 166, # vm86old, vm86: enter VM86 mode (virtual-8086 in Intel literature) 119, 173, # sigreturn, rt_sigreturn 162, # nanosleep 252, # epoll_wait )) syscall = GenerateSyscall(project) syscall.fixed_arguments[SYS_EXIT] = {1: "0"} syscall.fixed_arguments[SYS_OLD_SELECT] = {5: "0"} syscall.syscalls = list(set(SYSCALL_NAMES.keys()) - IGNORE_SYSCALLS) process = SyscallProcess(project, name="syscall") WatchProcess(process) syslog = Syslog(project) syslog.syslog.patterns['syscall'] = 1.0 syslog.messages.patterns['syscall'] = 1.0
def readSyscall(self, regs): # Read syscall number if CPU_PPC: self.syscall = regs.gpr0 elif RUNNING_LINUX: if CPU_X86_64: self.syscall = regs.orig_rax else: self.syscall = regs.orig_eax else: self.syscall = regs.eax # Get syscall variables self.name = SYSCALL_NAMES.get(self.syscall, "syscall<%s>" % self.syscall)
def on_menuitemActivitiesFilterShowOnlySyscall_activate(self, widget): """Show only the selected syscall from the results""" selection = self.ui.tvwActivities.get_selection() if selection: model, iter = selection.get_selected() if iter: while len(self.filtered_items): self.filtered_items.pop() # First include every syscall names to the filtered syscalls self.filtered_items.extend(SYSCALL_NAMES.values()) # Then remove the selected syscall from the filtered syscalls list self.filtered_items.remove(self.modelActivities.get_syscall( self.ui.filterActivities.convert_iter_to_child_iter(iter))) # Filter the results self.ui.filterActivities.refilter()
def readSyscall(self, regs): # Read syscall number if CPU_POWERPC: self.syscall = regs.gpr0 elif RUNNING_LINUX: if CPU_X86_64: self.syscall = regs.orig_rax else: self.syscall = regs.orig_eax else: self.syscall = regs.eax # Get syscall variables self.name = SYSCALL_NAMES.get(self.syscall, "syscall<%s>" % self.syscall)
def trace(pid): ptrace_attach(pid) if wait_status() == -1: return -1 print "-- start traceing %d ..." %pid while True: ptrace_syscall(pid) if wait_status() == -1: ptrace_detach(pid) return -1 regs = ptrace_getregs(pid) res = SYSCALL_NAMES.get(regs.orig_rax) if res == "clone" or res == "fork" or res == "vfork" or res == "execve": limit = resource.getrlimit(resource.RLIMIT_NPROC) if regs.rax > 0 and regs.rax < limit[1]: print "create new child: %s" %regs.rax return 0
def parseOptions(self): parser = OptionParser(usage="%prog [options] -- program [arg1 arg2 ...]") self.createCommonOptions(parser) parser.add_option("--enter", help="Show system call enter and exit", action="store_true", default=False) parser.add_option("--profiler", help="Use profiler", action="store_true", default=False) parser.add_option("--type", help="Display arguments type and result type (default: no)", action="store_true", default=False) parser.add_option("--name", help="Display argument name (default: no)", action="store_true", default=False) parser.add_option("--string-length", "-s", help="String max length (default: 300)", type="int", default=300) parser.add_option("--array-count", help="Maximum number of array items (default: 20)", type="int", default=20) parser.add_option("--raw-socketcall", help="Raw socketcall form", action="store_true", default=False) parser.add_option("--output", "-o", help="Write output to specified log file", type="str") parser.add_option("--ignore-regex", help="Regex used to filter syscall names (eg. --ignore='^(gettimeofday|futex|f?stat)')", type="str") parser.add_option("--address", help="Display structure addressl", action="store_true", default=False) parser.add_option("--syscalls", '-e', help="Comma separated list of shown system calls (other will be skipped)", type="str", default=None) parser.add_option("--socket", help="Show only socket functions", action="store_true", default=False) parser.add_option("--filename", help="Show only syscall using filename", action="store_true", default=False) parser.add_option("--show-pid", help="Prefix line with process identifier", action="store_true", default=False) parser.add_option("--list-syscalls", help="Display system calls and exit", action="store_true", default=False) parser.add_option("-i", "--show-ip", help="print instruction pointer at time of syscall", action="store_true", default=False) self.createLogOptions(parser) self.options, self.program = parser.parse_args() if self.options.list_syscalls: syscalls = list(SYSCALL_NAMES.items()) syscalls.sort(key=lambda data: data[0]) for num, name in syscalls: print("% 3s: %s" % (num, name)) exit(0) if self.options.pid is None and not self.program: parser.print_help() exit(1) # Create "only" filter only = set() if self.options.syscalls: # split by "," and remove spaces for item in self.options.syscalls.split(","): item = item.strip() if not item or item in only: continue ok = True valid_names = list(SYSCALL_NAMES.values()) for name in only: if name not in valid_names: print("ERROR: unknow syscall %r" % name, file=stderr) ok = False if not ok: print(file=stderr) print("Use --list-syscalls options to get system calls list", file=stderr) exit(1) # remove duplicates only.add(item) if self.options.filename: for syscall, format in SYSCALL_PROTOTYPES.items(): restype, arguments = format if any(argname in FILENAME_ARGUMENTS for argtype, argname in arguments): only.add(syscall) if self.options.socket: only |= SOCKET_SYSCALL_NAMES self.only = only if self.options.ignore_regex: try: self.ignore_regex = re.compile(self.options.ignore_regex) except Exception as err: print("Invalid regular expression! %s" % err) print("(regex: %r)" % self.options.ignore_regex) exit(1) else: self.ignore_regex = None if self.options.fork: self.options.show_pid = True self.processOptions()
def parseOptions(self): parser = OptionParser( usage="%prog [options] -- program [arg1 arg2 ...]") self.createCommonOptions(parser) parser.add_option("--enter", help="Show system call enter and exit", action="store_true", default=False) parser.add_option("--profiler", help="Use profiler", action="store_true", default=False) parser.add_option( "--type", help="Display arguments type and result type (default: no)", action="store_true", default=False) parser.add_option("--name", help="Display argument name (default: no)", action="store_true", default=False) parser.add_option("--string-length", "-s", help="String max length (default: 300)", type="int", default=300) parser.add_option("--array-count", help="Maximum number of array items (default: 20)", type="int", default=20) parser.add_option("--raw-socketcall", help="Raw socketcall form", action="store_true", default=False) parser.add_option("--output", "-o", help="Write output to specified log file", type="str") parser.add_option( "--ignore-regex", help= "Regex used to filter syscall names (e.g. --ignore='^(gettimeofday|futex|f?stat)')", type="str") parser.add_option("--address", help="Display structure address", action="store_true", default=False) parser.add_option( "--syscalls", '-e', help= "Comma separated list of shown system calls (other will be skipped)", type="str", default=None) parser.add_option("--socket", help="Show only socket functions", action="store_true", default=False) parser.add_option("--filename", help="Show only syscall using filename", action="store_true", default=False) parser.add_option("--show-pid", help="Prefix line with process identifier", action="store_true", default=False) parser.add_option("--list-syscalls", help="Display system calls and exit", action="store_true", default=False) parser.add_option("-i", "--show-ip", help="print instruction pointer at time of syscall", action="store_true", default=False) self.createLogOptions(parser) self.options, self.program = parser.parse_args() if self.options.list_syscalls: syscalls = list(SYSCALL_NAMES.items()) syscalls.sort(key=lambda data: data[0]) for num, name in syscalls: print("% 3s: %s" % (num, name)) exit(0) if self.options.pid is None and not self.program: parser.print_help() exit(1) # Create "only" filter only = set() if self.options.syscalls: # split by "," and remove spaces for item in self.options.syscalls.split(","): item = item.strip() if not item or item in only: continue ok = True valid_names = list(SYSCALL_NAMES.values()) for name in only: if name not in valid_names: print("ERROR: unknown syscall %r" % name, file=stderr) ok = False if not ok: print(file=stderr) print( "Use --list-syscalls options to get system calls list", file=stderr) exit(1) # remove duplicates only.add(item) if self.options.filename: for syscall, format in SYSCALL_PROTOTYPES.items(): restype, arguments = format if any(argname in FILENAME_ARGUMENTS for argtype, argname in arguments): only.add(syscall) if self.options.socket: only |= SOCKET_SYSCALL_NAMES self.only = only if self.options.ignore_regex: try: self.ignore_regex = re.compile(self.options.ignore_regex) except Exception as err: print("Invalid regular expression! %s" % err) print("(regex: %r)" % self.options.ignore_regex) exit(1) else: self.ignore_regex = None if self.options.fork: self.options.show_pid = True self.processOptions()
def __init__(self, application, settings): self.application = application self.ui = GtkBuilderLoader(FILE_UI_MAIN) self.settings = settings self.loadUI() # Restore the intercepted syscalls list from settings saved_syscalls = settings.get_intercepted_syscalls() # Restore the options from settings self.ui.menuitemAutoClear.set_active(self.settings.get_boolean( SECTION_APPLICATION, 'autoclear', self.ui.menuitemAutoClear.get_active())) # Update the Show only called syscalls in counts status self.ui.menuitemCountsOnlyCalled.set_active(self.settings.get_boolean( SECTION_COUNTS, 'only called', self.ui.menuitemCountsOnlyCalled.get_active())) self.on_menuitemCountsOnlyCalled_toggled(None) # Update the Show only existing files status self.ui.menuitemFilesShowOnlyExisting.set_active(self.settings.get_boolean( SECTION_FILES, 'only existing', self.ui.menuitemFilesShowOnlyExisting.get_active())) self.on_menuitemFilesShowOnlyExisting_toggled(None) self.ui.infobarInformation.set_visible(False) # Load all the available syscall names for syscall in sorted(SYSCALL_NAMES.values()): prototype = SYSCALL_PROTOTYPES.get(syscall, ('', ( ))) self.modelInterceptedSyscalls.add(items=( # If the configuration file has a list of intercepted syscalls then # set each syscall status accordingly saved_syscalls is None and True or syscall in saved_syscalls, # Add syscall name syscall, # Add return type prototype[0], # Add prototype arguments ', '.join(['%s %s' % m for m in prototype[1]]), # Does this syscall use any filename/pathname argument? any(argname in FILENAME_ARGUMENTS for argtype, argname in prototype[1]), # Is this syscall used by sockets? syscall in SOCKET_SYSCALL_NAMES, )) self.modelCounts.add(items=(syscall, 0, False)) self.update_InterceptedSyscalls_count() # Restore the saved size and position if self.settings.get_value('width', 0) and self.settings.get_value('height', 0): self.ui.winMain.set_default_size( self.settings.get_value('width', -1), self.settings.get_value('height', -1)) if self.settings.get_value('left', 0) and self.settings.get_value('top', 0): self.ui.winMain.move( self.settings.get_value('left', 0), self.settings.get_value('top', 0)) # Restore visible columns for current_section in self.column_headers.get_sections(): self.column_headers.load_visible_columns(current_section) # Set ModelFilter self.filtered_items = [] self.ui.filterActivities.set_visible_func(self.check_for_filtered_syscall, self.filtered_items) # Set counts filter self.ui.filterCounts.set_visible_column(self.modelCounts.COL_VISIBILITY) self.ui.filterCounts.refilter() # Set counts filter self.ui.filterFiles.set_visible_column(self.modelFiles.COL_EXISTING) self.ui.filterFiles.refilter() # Load the others dialogs self.about = AboutWindow(self.ui.winMain, False) self.thread_loader = None self.debugger = None
def readSyscall(self, regs): # Read syscall number self.syscall = getattr(regs, SYSCALL_REGISTER) # Get syscall variables self.name = SYSCALL_NAMES.get( self.syscall, "syscall<%s>" % self.syscall)
def readSyscall(self, regs): # Read syscall number self.syscall = getattr(regs, SYSCALL_REGISTER) # Get syscall variables self.name = SYSCALL_NAMES.get(self.syscall, "syscall<%s>" % self.syscall)