def timer_callback(self, ctx): fe.log("calling functions!") # e = fe.translate_ksym2v('init_task') # fe.log(f'TRANSLATE_KSYM2V init_task: {e}') self.do_pslist(pause=True) fe.log("done!") fe.exit()
def timer_callback(self, ctx): timeit_on = False cprof_bo = False once = True if timeit_on: self.log = [] self.msgs = [] self.procs = [] fe.log("prepping batch obj") self.prep_batch_pslist_self() fe.pause_vm() fe.log("running timeit") t = timeit.Timer(lambda: self.do_batch_pslist_new()).timeit( number=100) fe.log("done timeit") fe.resume_vm() t = t / 100.0 fe.log("timeit pslist in {sec:.6f} seconds".format(sec=t)) self.summarize() if once: fe.log("prepping batch obj") self.prep_batch_pslist_self() gc.disable() fe.log("running pipeline") self.do_batch_pslist_new(pause=False) fe.log("done pipeline") gc.enable() self.summarize() if cprof_bo: self.log = [] self.msgs = [] self.procs = [] self.prep_batch_pslist_self() fe.pause_vm() cProfile.runctx( "self.do_batch_pslist_new()", globals(), locals(), filename="/home/micah/femain.pipeline.profile", ) fe.resume_vm() self.summarize() fe.log("calls: %s" % self.calls) fe.log("procs: %s" % self.procs) fe.log("calling exit") fe.exit()
def timer_callback(self, ctx): fe.log(f"TIMER CALLBACK {self.ticks}") if self.ticks == 0: fe.log("dk_start_syscall") self.do_dk_start_syscall(self.be_callback, fe.ASYNC) if self.ticks == 10: fe.log("dk_stop_syscall") self.do_dk_stop_syscall() fe.exit() self.ticks += 1
def be_callback(self, ctx): fe.log(f'BE CALLBACK: {ctx}') self.two_way = True # msg format: {'cmd': 'foo', 'data': 'bar', 'ix': dump_order, 'hash': hash} # ALL ASYNC # FE: hi, waiting, memdump_running, memdump_done, error # BE: memdump_cmd: go, stop msg = json.loads(ctx.message) fe.log(f'JSON message: {msg}') if msg['cmd'] == 'memdump_cmd' and msg['data'] == 'go': if self.did >= 0: fe.log(f'error, dump already in procress (eid={self.did})') fe.notify( json.dumps({ 'cmd': 'error', 'data': 'memdump already running' })) else: fe.log(f'running memdump') fe.notify( json.dumps({ 'cmd': 'memdump_running', 'data': time.time() })) self.did = fe.event_register({ 'event_type': fe.TIMER, 'time_value': 0.0, 'callback': self.memdump_callback }) fe.log(f'registered new event {self.did}') elif msg['cmd'] == 'memdump_cmd' and msg['data'] == 'stop': if self.did >= 0: fe.event_clear(self.did) self.did = -1 fe.log(f'canceled dump') else: fe.log(f'error, no dump in procress (eid={self.did})') elif msg['cmd'] == 'memdump_cmd' and msg['data'] == 'exit': fe.log('was commanded to exit...') fe.exit() fe.log('BE CALLBACK done')
def __init__(self, ctx): fe.set_name("modlist") self.pslist = {} self.lookups = { "name_offset": fe.lookup_structure("task_struct", "comm"), "pid_offset": fe.lookup_structure("task_struct", "pid"), "tasks_offset": fe.lookup_structure("task_struct", "tasks"), "modules": fe.lookup_symbol("modules"), } e = {"event_type": fe.BE, "callback": self.be_callback} fe.event_register(e) self.do_modlist() fe.exit()
def __init__(self, ctx): fe.log("in pslist_dk constructor") fe.set_name("pslist_dk") e = {"event_type": fe.BE, "callback": self.be_callback} fe.event_register(e) self.pslist = {} self.log = [] self.calls = [] self.msgs = [] self.procs = [] timeit_on = False cprof = False if cprof: self.do_dk_pslist(pause=True) # zmq warmup cProfile.runctx( "self.do_dk_pslist()", globals(), locals(), filename="/home/micah/femain.dk.profile", ) if timeit_on: self.do_dk_pslist(pause=True) # zmq warmup fe.pause_vm() t = timeit.Timer(lambda: self.do_dk_pslist()).timeit(number=100) t = t / 100.0 fe.resume_vm() fe.log("timeit pslist in {sec:.6f} seconds".format(sec=t)) else: self.pslist = {} gc.disable() self.do_dk_pslist(pause=True) gc.enable() fe.log(self.pslist) for l in self.log: fe.log(l) fe.log("calls: %s" % self.calls) fe.log("procs: %s" % self.procs) fe.log("msgs: %s" % self.msgs) fe.log("leaving pslist_dk constructor") fe.exit()
def be_callback(self, ctx): fe.log(f"BE CALLBACK: {ctx}") self.two_way = True # msg format: {'cmd': 'foo', 'data': 'bar', 'ix': dump_order, 'hash': hash} # ALL ASYNC # FE: hi, waiting, memdump_running, memdump_done, error # BE: memdump_cmd: go, stop msg = json.loads(ctx.message) fe.log(f"JSON message: {msg}") if msg["cmd"] == "memdump_cmd" and msg["data"] == "go": if self.did >= 0: fe.log(f"error, dump already in procress (eid={self.did})") fe.notify( json.dumps({"cmd": "error", "data": "memdump already running"}) ) else: fe.log(f"running memdump") fe.notify(json.dumps({"cmd": "memdump_running", "data": time.time()})) self.did = fe.event_register( { "event_type": fe.TIMER, "time_value": 0.0, "callback": self.memdump_callback, } ) fe.log(f"registered new event {self.did}") elif msg["cmd"] == "memdump_cmd" and msg["data"] == "stop": if self.did >= 0: fe.event_clear(self.did) self.did = -1 fe.log(f"canceled dump") else: fe.log(f"error, no dump in procress (eid={self.did})") elif msg["cmd"] == "memdump_cmd" and msg["data"] == "exit": fe.log("was commanded to exit...") fe.exit() fe.log("BE CALLBACK done")
def timer_callback(self, ctx): timeit_on = False cprof = False once = True if cprof: self.do_batch_pslist(pause=True) # zmq warmup cProfile.runctx( "self.do_batch_pslist()", globals(), locals(), filename="/home/micah/femain.batch.profile", ) if timeit_on: fe.log("warming up") self.do_batch_pslist(pause=True) # zmq warmup fe.pause_vm() fe.log("running timeit") t = timeit.Timer(lambda: self.do_batch_pslist()).timeit(number=100) fe.log("done timeit") fe.resume_vm() t = t / 100.0 fe.log("timeit pslist in {sec:.6f} seconds".format(sec=t)) if once: self.pslist = {} gc.disable() self.do_batch_pslist(pause=True) gc.enable() # fe.log(self.pslist) for l in self.log: fe.log(l) fe.log("calls: %s" % self.calls) fe.log("procs: %s" % self.procs) fe.log("msgs: %s" % self.msgs) fe.log("leaving batching constructor") fe.exit()
def timer_callback(self, ctx): now = time.time() if self.last + 10 < now: fe.log("refreshing pslist") # pslist[proc.pid] = {'name': proc.name, 'process_block_ptr': proc.process_block_ptr} self.pslist = fe.process_list() # fe.log(f'#procs: {len(self.pslist)}') for pid, proc in self.pslist.items(): if proc["name"] == "sshd": fe.log(f"found sshd: {pid} {proc}") if not self.target_proc: self.target_proc["pid"] = pid for k, v in proc.items(): self.target_proc[k] = v for k, v in self.enumerate_proc( proc["process_block_ptr"]).items(): self.target_proc[k] = v fe.log(f"loading target_proc {self.target_proc}") if self.state == INIT: fe.log(f"installing breakpoint on commit_creds") address = self.l["commit_creds"] e = { "event_type": fe.INT, "sync": fe.SYNC, "bp_pid": fe.KERNEL, "bp_addr": address, "callback": self.commit_creds_callback, } try: eid = fe.event_register(e) except Exception: fe.log(f"could not inject at commit_creds") errors.append("commit_creds") else: self.events[eid] = address fe.log(f"event is {eid}") self.symbols[address] = { "address": address, "t": "T", "func_name": "commit_creds", } self.state = INJECTED if False and self.state == INIT: fe.log(f"injecting against {self.target_proc}") self.state = INJECTED errors = [] for address, info in self.symbols.items(): if "do_log" != info["func_name"]: fe.log(f"skipping {info['func_name']}") continue bp_addr = self.target_proc["text_start"] + address pid = self.target_proc["pid"] fe.log(f"installing bp at {bp_addr:x} for {address}:{info}") e = { "event_type": fe.INT, "sync": fe.SYNC, "bp_pid": pid, "bp_addr": bp_addr, "callback": self.int_callback, } try: eid = fe.event_register(e) except Exception: fe.log(f"could not inject at {info['func_name']}") errors.append(info["func_name"]) else: self.events[eid] = address fe.log(f"event is {eid}") fe.log(f"done, errors: {errors}") if self.tick == 15: fe.log("shutting down") fe.events_stop() for eid, address in self.events.items(): fe.log(f"clearing {eid}: {self.symbols[address]['func_name']}") fe.event_clear(eid) self.events = {} print(f"formats: {self.fmts}") print(f"users: {self.users}") fe.exit() fe.log(f"tick {self.tick}") self.tick += 1 self.last = now