def process_event(self, event):
# Clearing these caches is really important since otherwise we will end
# up with incorrect memory references. Unfortunatelly, this will also
# make the backend slow. In my limited testing it seems that only
# clearing v2p cache works most of the time but I am sure issues will
# arise.
self.libvmi.v2pcache_flush(0)
self.libvmi.pidcache_flush()
self.libvmi.rvacache_flush()
self.libvmi.symcache_flush()
process = self.associate_process(event.sregs.cr3)
if event.direction == SyscallDirection.exit:
try:
syscall = self.syscall_stack[event.vcpu_nb].pop()
except IndexError:
syscall = Syscall(event, "Unknown", "Unknown", process, None)
else:
try:
name = self.get_syscall_name(event.regs.rax)
args = FreeBSDArgumentMap(event, process)
cleaned = clean_name(name) if name is not None else None
syscall = Syscall(event, name, cleaned, process, args)
except LibvmiError as error:
logging.error("FreeBSDBackend: failed to get_syscall_name (LibvmiError)")
raise error
self.syscall_stack[event.vcpu_nb].append(syscall)
self.dispatch_hooks(syscall)
return syscall
def process_event(self, event):
# invalidate libvmi cache
self.libvmi.v2pcache_flush()
self.libvmi.pidcache_flush()
self.libvmi.rvacache_flush()
self.libvmi.symcache_flush()
# rebuild context
cr3 = event.sregs.cr3
# 1 find process
process = self.associate_process(cr3)
# 2 find syscall
if event.direction == SyscallDirection.exit:
try:
syscall = self.syscall_stack[event.vcpu_nb].pop()
# replace register values
syscall.event = event
except IndexError:
# FIXME: This is ugly, names should be None
syscall = Syscall(event, 'Unknown', 'Unknown', process, None)
else:
syscall_name = self.get_syscall_name(event.regs.rax)
# build syscall
args = WindowsArgumentMap(event, process)
cleaned = clean_name(syscall_name)
syscall = Syscall(event, syscall_name, cleaned, process, args)
# push syscall to the stack to retrieve it at exit
self.syscall_stack[event.vcpu_nb].append(syscall)
# dispatch on the hooks
self.dispatch_hooks(syscall)
return syscall
def process_event(self, event):
if not self.analyze:
raise RuntimeError('Syscall analyzing is disabled in the backend')
# invalidate libvmi cache
self.libvmi.v2pcache_flush()
self.libvmi.pidcache_flush()
self.libvmi.rvacache_flush()
self.libvmi.symcache_flush()
# rebuild context
cr3 = event.sregs.cr3
# 1 find process
process = self.associate_process(cr3)
# 2 find syscall
if event.direction == SyscallDirection.exit:
try:
syscall = self.syscall_stack[event.vcpu_nb].pop()
# replace register values
syscall.event = event
except IndexError:
# build a new syscall object using 'Unknown' as syscall name
syscall = Syscall(event, 'Unknown', process, self.nitro)
else:
syscall_name = self.get_syscall_name(event.regs.rax)
# build syscall
syscall = Syscall(event, syscall_name, process, self.nitro)
# push syscall to the stack to retrieve it at exit
self.syscall_stack[event.vcpu_nb].append(syscall)
# dispatch on the hooks
self.dispatch_hooks(syscall)
return syscall
def process_event(self, event):
# invalidate libvmi cache
self.libvmi.v2pcache_flush(0)
self.libvmi.pidcache_flush()
self.libvmi.rvacache_flush()
self.libvmi.symcache_flush()
# rebuild context
cr3 = event.sregs.cr3
# 1 find process
process = self.associate_process(cr3)
# 2 find syscall
try:
if event.direction == SyscallDirection.exit:
try:
name = self.syscall_stack[event.vcpu_nb].pop()
except IndexError:
name = 'Unknown'
else:
name = self.get_syscall_name(event.regs.rax)
# push them to the stack
self.syscall_stack[event.vcpu_nb].append(name)
except LibvmiError as error:
logging.error("LinuxBackend: failed to get_syscall_name (LibvmiError)")
raise error
args = WindowsArgumentMap(event, process)
if name == 'Unknown':
cleaned = 'Unknown'
else:
cleaned = clean_name(name) if name is not None else None
syscall = Syscall(event, name, cleaned, process, args)
# dispatch on the hooks
self.dispatch_hooks(syscall)
return syscall
def process_event(self, event):
"""
Process ``NitroEvent`` and return a matching ``Systemcall``. This function
analyzes system state and, based on it, produces a new ``Systemcall``
that contains higher-level information about the system call that is
being processed.
:param NitroEvent event: event to be analyzed
:returns: system call based on ``event``.
:rtype: Systemcall
"""
# Clearing these caches is really important since otherwise we will end
# up with incorrect memory references. Unfortunatelly, this will also
# make the backend slow. In my limited testing it seems that only
# clearing v2p cache works most of the time but I am sure issues will
# arise.
self.libvmi.v2pcache_flush()
self.libvmi.pidcache_flush()
self.libvmi.rvacache_flush()
self.libvmi.symcache_flush()
process = self.associate_process(event.sregs.cr3)
if event.direction == SyscallDirection.exit:
try:
syscall = self.syscall_stack[event.vcpu_nb].pop()
syscall.event = event
except IndexError:
syscall = Syscall(event, "Unknown", "Unknown", process, None)
else:
# Maybe we should catch errors from associate_process
name = self.get_syscall_name(event.regs.rax)
args = LinuxArgumentMap(event, process)
cleaned = clean_name(name) if name is not None else None
syscall = Syscall(event, name, cleaned, process, args)
self.syscall_stack[event.vcpu_nb].append(syscall)
self.dispatch_hooks(syscall)
return syscall