├── .astylerc ├── .dockerignore ├── .github └── workflows │ ├── astyle.yml │ ├── ci.yml │ ├── container-compile.yml │ ├── coverity.yml │ ├── cppcheck.yml │ ├── cpplint.yml │ ├── deb.yml │ ├── scorecards.yml │ └── whitespace.yml ├── .gitignore ├── .gitmodules ├── COPYING ├── LICENSE ├── Makefile.am ├── README.md ├── SECURITY.md ├── autogen.sh ├── ci ├── dll-hooks-list └── syscalls.txt ├── configure.ac ├── llvm.ini ├── m4 └── ax_require_defined.m4 ├── meson.build ├── meson_options.txt ├── package ├── .gitmodules ├── Dockerfile-final ├── Dockerfile-registry ├── Dockerfile-xen ├── README.md ├── build.sh ├── configure-xen.sh ├── depends.sh ├── extra │ ├── etc │ │ ├── default │ │ │ └── grub.d │ │ │ │ └── xen.cfg │ │ ├── dnsmasq.conf │ │ ├── ld.so.conf.d │ │ │ └── host.conf │ │ └── modules-load.d │ │ │ └── xen.conf │ └── usr │ │ └── bin │ │ └── drak-find-xen-defaults ├── mkdeb ├── postinst └── postrm ├── scripts ├── complexity.sh ├── install.sh ├── version.sh └── wrap-compiler-for-flag-check ├── src ├── Makefile.am ├── dirwatch │ ├── Makefile.am │ ├── dirwatch.c │ └── distributor.c ├── drakvuf.cpp ├── drakvuf.h ├── exitcodes.h ├── helpers │ └── hiddump │ │ ├── Makefile.am │ │ ├── hiddump.c │ │ └── readme.org ├── injector.cpp ├── libdrakvuf │ ├── Makefile.am │ ├── drakvuf.c │ ├── helper.c │ ├── json-profile.c │ ├── json-profile.h │ ├── json-util.c │ ├── json-util.h │ ├── libdrakvuf.h │ ├── linux-exports.c │ ├── linux-exports.h │ ├── linux-offsets-map.h │ ├── linux-offsets.h │ ├── linux-processes.c │ ├── linux.c │ ├── linux.h │ ├── meson.build │ ├── ntstatus.h │ ├── os.c │ ├── os.h │ ├── private.h │ ├── vmi.c │ ├── vmi.h │ ├── win-error-codes.h │ ├── win-exports.c │ ├── win-exports.h │ ├── win-files.c │ ├── win-handles.c │ ├── win-handles.h │ ├── win-offsets-map.h │ ├── win-offsets.h │ ├── win-processes.c │ ├── win-registry.c │ ├── win-wow-offsets-map.h │ ├── win-wow-offsets.h │ ├── win.c │ └── win.h ├── libhook │ ├── Makefile.am │ ├── call_result.hpp │ ├── hooks │ │ ├── base.cpp │ │ ├── base.hpp │ │ ├── catchall.cpp │ │ ├── catchall.hpp │ │ ├── cpuid.cpp │ │ ├── cpuid.hpp │ │ ├── cr3.cpp │ │ ├── cr3.hpp │ │ ├── manual.cpp │ │ ├── manual.hpp │ │ ├── memaccess.cpp │ │ ├── memaccess.hpp │ │ ├── return.cpp │ │ ├── return.hpp │ │ ├── syscall.cpp │ │ └── syscall.hpp │ ├── libhook.hpp │ └── meson.build ├── libinjector │ ├── Makefile.am │ ├── debug_helpers.c │ ├── debug_helpers.h │ ├── injector.c │ ├── injector_stack.c │ ├── injector_utils.c │ ├── injector_utils.h │ ├── libinjector.h │ ├── linux │ │ ├── linux_injector.c │ │ ├── linux_injector.h │ │ ├── linux_private.h │ │ ├── linux_syscalls.c │ │ ├── linux_syscalls.h │ │ ├── linux_utils.c │ │ ├── linux_utils.h │ │ └── methods │ │ │ ├── linux_execve.c │ │ │ ├── linux_execve.h │ │ │ ├── linux_read_file.c │ │ │ ├── linux_read_file.h │ │ │ ├── linux_shellcode.c │ │ │ ├── linux_shellcode.h │ │ │ ├── linux_write_file.c │ │ │ └── linux_write_file.h │ ├── meson.build │ ├── private.h │ └── win │ │ ├── method_helpers.c │ │ ├── method_helpers.h │ │ ├── methods │ │ ├── win_createproc.c │ │ ├── win_createproc.h │ │ ├── win_exitthread.c │ │ ├── win_exitthread.h │ │ ├── win_read_file.c │ │ ├── win_read_file.h │ │ ├── win_shellcode.c │ │ ├── win_shellcode.h │ │ ├── win_shellexec.c │ │ ├── win_shellexec.h │ │ ├── win_terminate.c │ │ ├── win_terminate.h │ │ ├── win_write_file.c │ │ └── win_write_file.h │ │ ├── win_functions.c │ │ ├── win_functions.h │ │ ├── win_injector.c │ │ ├── win_injector.h │ │ ├── win_private.h │ │ ├── win_utils.c │ │ └── win_utils.h ├── librepl │ ├── Makefile.am │ ├── gen.sh │ ├── librepl.h │ ├── meson.build │ └── repl.cpp ├── libusermode │ ├── Makefile.am │ ├── check.cpp │ ├── meson.build │ ├── printers │ │ ├── check.cpp │ │ ├── printers.cpp │ │ ├── printers.hpp │ │ ├── utils.cpp │ │ └── utils.hpp │ ├── running.cpp │ ├── uh-private.hpp │ ├── userhook.cpp │ ├── userhook.hpp │ ├── userhook_inject.cpp │ ├── userhook_pf.cpp │ ├── utils.cpp │ └── utils.hpp ├── main.cpp ├── plugins │ ├── Makefile.am │ ├── apimon │ │ ├── apimon.cpp │ │ ├── apimon.h │ │ ├── crypto.cpp │ │ ├── crypto.h │ │ └── example │ │ │ └── dll-hooks-list-win7x64 │ ├── bsodmon │ │ ├── bsodmon.cpp │ │ ├── bsodmon.h │ │ ├── bugcheck.cpp │ │ ├── bugcheck.h │ │ └── private.h │ ├── callbackmon │ │ ├── README.md │ │ ├── callbackmon.cpp │ │ ├── callbackmon.h │ │ └── private.h │ ├── clipboardmon │ │ ├── clipboardmon.cpp │ │ └── clipboardmon.h │ ├── codemon │ │ ├── codemon.cpp │ │ ├── codemon.h │ │ └── private.h │ ├── cpuidmon │ │ ├── cpuidmon.cpp │ │ ├── cpuidmon.h │ │ └── private.h │ ├── crashmon │ │ ├── crashmon.cpp │ │ └── crashmon.h │ ├── debugmon │ │ ├── debugmon.cpp │ │ ├── debugmon.h │ │ └── private.h │ ├── delaymon │ │ ├── delaymon.cpp │ │ └── delaymon.h │ ├── dkommon │ │ ├── dkommon.cpp │ │ ├── dkommon.h │ │ └── private.h │ ├── ebpfmon │ │ ├── ebpfmon.cpp │ │ ├── ebpfmon.h │ │ └── private.h │ ├── envmon │ │ ├── envmon.cpp │ │ ├── envmon.h │ │ └── private.h │ ├── etwmon │ │ ├── README.md │ │ ├── etwmon.cpp │ │ ├── etwmon.h │ │ └── private.h │ ├── exmon │ │ ├── exmon.cpp │ │ ├── exmon.h │ │ └── private.h │ ├── exploitmon │ │ ├── exploitmon.cpp │ │ ├── exploitmon.h │ │ └── private.h │ ├── filedelete │ │ ├── filedelete.cpp │ │ ├── filedelete.h │ │ ├── filedelete2_helpers.cpp │ │ └── private.h │ ├── fileextractor │ │ ├── fileextractor.cpp │ │ ├── fileextractor.h │ │ ├── private.h │ │ ├── win.cpp │ │ └── win.h │ ├── filetracer │ │ ├── filetracer.cpp │ │ ├── filetracer.h │ │ ├── linux.cpp │ │ ├── linux.h │ │ ├── private.h │ │ ├── win.cpp │ │ ├── win.h │ │ ├── win_acl.cpp │ │ └── win_acl.h │ ├── helpers │ │ ├── exclude_matcher.cpp │ │ ├── exclude_matcher.h │ │ ├── hooks.h │ │ ├── profile_guard.h │ │ ├── type_traits.h │ │ ├── unicode_string.h │ │ └── vmi_lock_guard.h │ ├── hidevm │ │ ├── hidevm.cpp │ │ ├── hidevm.h │ │ └── private.h │ ├── hidsim │ │ ├── gui │ │ │ ├── vmi_win_gui_atoms.cpp │ │ │ ├── vmi_win_gui_atoms.h │ │ │ ├── vmi_win_gui_filter_definitions.h │ │ │ ├── vmi_win_gui_offsets.cpp │ │ │ ├── vmi_win_gui_offsets.h │ │ │ ├── vmi_win_gui_parser.cpp │ │ │ ├── vmi_win_gui_parser.h │ │ │ ├── vmi_win_gui_utils.cpp │ │ │ └── vmi_win_gui_utils.h │ │ ├── gui_monitor.cpp │ │ ├── gui_monitor.h │ │ ├── hid_injection.cpp │ │ ├── hid_injection.h │ │ ├── hidsim.cpp │ │ ├── hidsim.h │ │ ├── keymap_evdev_to_qapi.h │ │ ├── qmp │ │ │ ├── keymap_evdev_to_qapi.h │ │ │ ├── qmp_commands.h │ │ │ ├── qmp_connection.cpp │ │ │ └── qmp_connection.h │ │ ├── readme.org │ │ └── res │ │ │ ├── btn_demo.gif │ │ │ └── template_demo.gif │ ├── ipt │ │ ├── ipt.cpp │ │ └── ipt.h │ ├── libhooktest │ │ ├── libhooktest.cpp │ │ └── libhooktest.h │ ├── librarymon │ │ ├── librarymon.cpp │ │ └── librarymon.h │ ├── linkmon │ │ ├── linkmon.cpp │ │ ├── linkmon.h │ │ └── private.h │ ├── memaccessmon │ │ ├── memaccessmon.cpp │ │ ├── memaccessmon.h │ │ └── private.h │ ├── memdump │ │ ├── memdump.cpp │ │ ├── memdump.h │ │ ├── private.h │ │ ├── stack_util.cpp │ │ └── userhook.cpp │ ├── meson.build │ ├── objmon │ │ ├── objmon.cpp │ │ └── objmon.h │ ├── output_format.h │ ├── output_format │ │ ├── check.cpp │ │ ├── common.h │ │ ├── csvfmt.h │ │ ├── deffmt.h │ │ ├── jsonfmt.h │ │ ├── kvfmt.h │ │ ├── ostream.cpp │ │ ├── ostream.h │ │ └── xfmt.h │ ├── plugin_utils.cpp │ ├── plugin_utils.h │ ├── plugin_utils_check.cpp │ ├── plugins.cpp │ ├── plugins.h │ ├── plugins_ex.cpp │ ├── plugins_ex.h │ ├── poolmon │ │ ├── poolmon.cpp │ │ ├── poolmon.h │ │ └── private.h │ ├── procdump │ │ ├── minidump.h │ │ ├── private.h │ │ ├── procdump.cpp │ │ ├── procdump.h │ │ ├── writer.cpp │ │ └── writer.h │ ├── procdump2 │ │ ├── README.md │ │ ├── linux.cpp │ │ ├── linux.h │ │ ├── linux_coredump.h │ │ ├── linux_private.h │ │ ├── private2.h │ │ ├── procdump2.cpp │ │ ├── procdump2.h │ │ ├── win.cpp │ │ ├── win.h │ │ ├── win_minidump.h │ │ ├── win_private.h │ │ ├── writer.cpp │ │ └── writer.h │ ├── procmon │ │ ├── check.cpp │ │ ├── linux.cpp │ │ ├── linux.h │ │ ├── linux_utils.cpp │ │ ├── linux_utils.h │ │ ├── private.h │ │ ├── privileges.cpp │ │ ├── privileges.h │ │ ├── procmon.cpp │ │ ├── procmon.h │ │ ├── win.cpp │ │ ├── win.h │ │ ├── winnt.cpp │ │ └── winnt.h │ ├── ptracemon │ │ ├── private.h │ │ ├── ptracemon.cpp │ │ └── ptracemon.h │ ├── rebootmon │ │ ├── linux-private.h │ │ ├── linux.cpp │ │ ├── linux.h │ │ ├── rebootmon.cpp │ │ └── rebootmon.h │ ├── regmon │ │ ├── regmon.cpp │ │ └── regmon.h │ ├── rootkitmon │ │ ├── README.md │ │ ├── private.h │ │ ├── rootkitmon.cpp │ │ └── rootkitmon.h │ ├── rpcmon │ │ ├── private.h │ │ ├── rpcmon.cpp │ │ └── rpcmon.h │ ├── socketmon │ │ ├── private.h │ │ ├── socketmon.cpp │ │ └── socketmon.h │ ├── spraymon │ │ ├── spraymon.cpp │ │ └── spraymon.h │ ├── ssdtmon │ │ ├── private.h │ │ ├── ssdtmon.cpp │ │ └── ssdtmon.h │ ├── syscalls │ │ ├── check.cpp │ │ ├── linux.cpp │ │ ├── linux.h │ │ ├── private.h │ │ ├── private_2.h │ │ ├── syscalls.cpp │ │ ├── syscalls.h │ │ ├── win.cpp │ │ └── win.h │ ├── tlsmon │ │ ├── private.h │ │ ├── tlsmon.cpp │ │ └── tlsmon.h │ ├── unixsocketmon │ │ ├── private.h │ │ ├── unixsocketmon.cpp │ │ └── unixsocketmon.h │ ├── windowmon │ │ ├── windowmon.cpp │ │ └── windowmon.h │ └── wmimon │ │ ├── private.h │ │ ├── wmimon.cpp │ │ └── wmimon.h ├── proc_stat.cpp ├── repl.cpp ├── xen_helper │ ├── Makefile.am │ ├── meson.build │ ├── private.h │ ├── xen_helper.c │ └── xen_helper.h └── xtf.c └── tools ├── cleanup.sh ├── clone.pl ├── demangle.py ├── drakvuf.sh ├── network-setup.sh ├── pdbguid.py ├── preconfig.sh ├── rekall_linux_profile_fix.sh ├── rpcserver.py ├── rpctestclient.py ├── run_drakvuf-async.py ├── run_drakvuf.py └── tcpdump.sh /.astylerc: -------------------------------------------------------------------------------- 1 | style=allman 2 | indent-switches 3 | suffix=none 4 | align-pointer=type 5 | align-reference=type 6 | indent=spaces=4 7 | indent-after-parens 8 | pad-header 9 | pad-comma 10 | min-conditional-indent=0 11 | max-continuation-indent=40 12 | attach-closing-while 13 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | package/cache/ 2 | package/out/ 3 | package/log/ 4 | -------------------------------------------------------------------------------- /.github/workflows/astyle.yml: -------------------------------------------------------------------------------- 1 | name: astyle 2 | on: 3 | pull_request: 4 | branches: [ main ] 5 | permissions: 6 | contents: read 7 | jobs: 8 | astyle: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v4 12 | - name: install dependencies 13 | run: sudo apt-get install astyle 14 | 15 | - name: astyle check 16 | id: astyle 17 | run: | 18 | ARTISTIC_STYLE_OPTIONS=".astylerc" astyle -Q --recursive ./src/*.cpp,*.c,*.hpp,*.h > astyle.out 19 | TEST=$(cat astyle.out | wc -l) 20 | if [ $TEST -gt 3 ]; then exit 1; fi 21 | 22 | - name: Show required astyle changes 23 | if: failure() 24 | run: git diff 25 | -------------------------------------------------------------------------------- /.github/workflows/container-compile.yml: -------------------------------------------------------------------------------- 1 | name: container-compile 2 | on: 3 | pull_request: 4 | branches: [ main ] 5 | permissions: 6 | contents: read 7 | concurrency: 8 | group: container-compile-${{ github.ref }} 9 | cancel-in-progress: true 10 | jobs: 11 | compile: 12 | strategy: 13 | matrix: 14 | container: 15 | - 'debian:bookworm-slim' 16 | - 'ubuntu:jammy' 17 | - 'ubuntu:noble' 18 | runs-on: ubuntu-latest 19 | container: 20 | image: ${{ matrix.container }} 21 | 22 | steps: 23 | - name: Install dependencies 24 | env: 25 | DEBIAN_FRONTEND: noninteractive 26 | run: | 27 | apt-get update -q 28 | apt-get install -y \ 29 | autoconf-archive flex bison libjson-c-dev build-essential \ 30 | git libtool autotools-dev libglib2.0-dev libyajl-dev liblzo2-dev \ 31 | clang llvm lld meson ninja-build 32 | apt-get clean 33 | 34 | - name: Configure safe dirs 35 | run: git config --global --add safe.directory $PWD 36 | 37 | - uses: actions/checkout@v4 38 | 39 | - name: Get Xen version 40 | id: get-xen-hash 41 | run: | 42 | echo XEN_HASH=${{ matrix.container }}_$(git submodule | grep xen | awk '{ print $1 }') >> $GITHUB_OUTPUT 43 | 44 | - name: Cache Xen debball 45 | id: cache-xen 46 | uses: actions/cache@v4 47 | with: 48 | path: xen/dist 49 | key: ${{ steps.get-xen-hash.outputs.XEN_HASH }} 50 | 51 | - name: Create Xen debball 52 | if: steps.cache-xen.outputs.cache-hit != 'true' 53 | run: | 54 | apt-get install -y \ 55 | wget git bcc bin86 gawk bridge-utils iproute2 \ 56 | libcurl4-openssl-dev bzip2 libpci-dev build-essential \ 57 | libc6-dev linux-libc-dev zlib1g-dev libncurses5-dev \ 58 | patch libvncserver-dev libssl-dev iasl libbz2-dev \ 59 | e2fslibs-dev git-core uuid-dev ocaml libx11-dev bison \ 60 | flex ocaml-findlib xz-utils gettext libpixman-1-dev \ 61 | libaio-dev libfdt-dev cabextract libfuse-dev \ 62 | liblzma-dev autoconf-archive kpartx python3-dev \ 63 | python3-pip golang libsystemd-dev python3-tomli 64 | git submodule update --init xen 65 | cd xen 66 | ./configure --enable-githttp --disable-pvshim --disable-stubdom --disable-docs --disable-werror --with-extra-qemuu-configure-args="--disable-werror" 67 | make -j4 debball 68 | cd .. 69 | 70 | - name: Install Xen debball 71 | run: | 72 | dpkg -i xen/dist/xen-*.deb 73 | 74 | - name: Install LibVMI 75 | run: | 76 | git submodule update --init libvmi 77 | cd libvmi 78 | autoreconf -vif 79 | ./configure --disable-kvm --disable-bareflank --disable-file --disable-examples 80 | make 81 | make install 82 | cd .. 83 | 84 | - name: Compile 85 | run: | 86 | meson setup build --native-file llvm.ini 87 | ninja -C build 88 | -------------------------------------------------------------------------------- /.github/workflows/coverity.yml: -------------------------------------------------------------------------------- 1 | name: coverity-scan 2 | on: 3 | push: 4 | branches: main 5 | permissions: 6 | contents: read 7 | jobs: 8 | latest: 9 | runs-on: ubuntu-20.04 10 | env: 11 | CC: clang 12 | CXX: clang++ 13 | TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} 14 | 15 | steps: 16 | - uses: actions/checkout@v4 17 | - name: Install dependencies 18 | run: | 19 | sudo apt-get update -q 20 | sudo apt-get remove -y clang 21 | sudo apt-get install -y clang-10 autoconf-archive flex bison libjson-c-dev 22 | 23 | - name: Get Xen version 24 | id: get-xen-hash 25 | run: | 26 | echo XEN_HASH=$(git submodule | grep xen | awk '{ print $1 }') >> $GITHUB_OUTPUT 27 | - name: Cache Xen debball 28 | id: cache-xen 29 | uses: actions/cache@v4 30 | with: 31 | path: xen/dist 32 | key: ${{ steps.get-xen-hash.outputs.XEN_HASH }} 33 | - name: Create Xen debball 34 | if: steps.cache-xen.outputs.cache-hit != 'true' 35 | run: | 36 | sudo apt-get install -y wget git bcc bin86 gawk bridge-utils \ 37 | iproute2 libcurl4-openssl-dev bzip2 libpci-dev build-essential \ 38 | make gcc libc6-dev libc6-dev-i386 linux-libc-dev zlib1g-dev \ 39 | libncurses5-dev patch libvncserver-dev libssl-dev libsdl-dev iasl \ 40 | libbz2-dev e2fslibs-dev git-core uuid-dev ocaml libx11-dev \ 41 | ocaml-findlib xz-utils gettext libyajl-dev libpixman-1-dev \ 42 | libaio-dev libfdt-dev cabextract libglib2.0-dev autoconf automake \ 43 | libtool libfuse-dev liblzma-dev ninja-build \ 44 | kpartx python3-dev python3-pip golang python-dev libsystemd-dev \ 45 | python3-tomli 46 | git submodule update --init xen 47 | cd xen 48 | ./configure --enable-githttp --enable-systemd --disable-pvshim 49 | make -j4 debball 50 | cd .. 51 | - name: Install Xen debball 52 | run: | 53 | sudo dpkg -i xen/dist/xen-*.deb 54 | 55 | - name: Install LibVMI 56 | run: | 57 | git submodule update --init libvmi 58 | cd libvmi 59 | autoreconf -vif 60 | ./configure --disable-kvm --disable-file --disable-bareflank --disable-examples --disable-vmifs 61 | make -j2 62 | sudo make install 63 | sudo ldconfig 64 | cd .. 65 | 66 | - name: Download Coverity hash 67 | id: hash 68 | run: | 69 | wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=tklengyel%2Fdrakvuf&md5=1" -O coverity_tool.md5 70 | echo hash=$(cat coverity_tool.md5) >> $GITHUB_OUTPUT 71 | 72 | - uses: actions/cache@v4 73 | id: cache-coverity 74 | with: 75 | path: coverity 76 | key: ${{ steps.hash.outputs.hash }} 77 | 78 | - name: Download Coverity Build Tool 79 | if: steps.cache-coverity.outputs.cache-hit != 'true' 80 | run: | 81 | wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=tklengyel%2Fdrakvuf" -O coverity_tool.tgz 82 | mkdir -p coverity 83 | tar xzf coverity_tool.tgz --strip 1 -C coverity 84 | 85 | - name: Fixed world writable dirs 86 | run: | 87 | chmod go-w $HOME 88 | sudo chmod -R go-w /usr/share 89 | 90 | - name: Run autoreconf 91 | run: autoreconf -vif 92 | 93 | - name: Configure 94 | run: ./configure --enable-debug 95 | 96 | - name: Build with cov-build 97 | run: | 98 | export PATH=`pwd`/coverity/bin:$PATH 99 | cov-build --dir cov-int make 100 | 101 | - name: Submit the result to Coverity Scan 102 | run: | 103 | tar czvf drakvuf.tgz cov-int 104 | curl \ 105 | --form token=$TOKEN \ 106 | --form email=tamas.k.lengyel@gmail.com \ 107 | --form file=@drakvuf.tgz \ 108 | --form version=main \ 109 | --form description="`git describe --always`" \ 110 | https://scan.coverity.com/builds?project=tklengyel%2Fdrakvuf 111 | -------------------------------------------------------------------------------- /.github/workflows/cppcheck.yml: -------------------------------------------------------------------------------- 1 | name: cppcheck 2 | on: 3 | pull_request: 4 | branches: [ main ] 5 | permissions: 6 | contents: read 7 | jobs: 8 | cppcheck: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v4 12 | - name: cppcheck 13 | run: | 14 | sudo apt-get update -q 15 | sudo apt-get install -y cppcheck 16 | git submodule update --init --recursive libvmi 17 | cppcheck --error-exitcode=1 --force -Ilibvmi --include=libvmi/libvmi/libvmi.h ./src 18 | -------------------------------------------------------------------------------- /.github/workflows/cpplint.yml: -------------------------------------------------------------------------------- 1 | name: cpplint 2 | on: 3 | pull_request: 4 | branches: [ main ] 5 | permissions: 6 | contents: read 7 | jobs: 8 | cpplint: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v4 12 | - name: install dependencies 13 | run: | 14 | pip3 install cpplint 15 | 16 | - name: cpplint 17 | run: | 18 | export PATH=$PATH:~/.local/bin 19 | cpplint \ 20 | --filter=-whitespace,-legal,-runtime/int,-runtime/explicit,-build/header_guard,-build/include_subdir,-build/include_what_you_use,-build/include_order \ 21 | --recursive \ 22 | --verbose=5 \ 23 | src/plugins/plugins.cpp \ 24 | src/plugins/plugins_ex.cpp \ 25 | src/plugins/output_format/* \ 26 | src/libusermode/* \ 27 | src/libhook/* 28 | -------------------------------------------------------------------------------- /.github/workflows/deb.yml: -------------------------------------------------------------------------------- 1 | name: Build package 2 | on: 3 | push: 4 | branches: [ main ] 5 | pull_request: 6 | branches: [ main ] 7 | permissions: 8 | contents: read 9 | concurrency: 10 | group: deb-${{ github.ref }} 11 | cancel-in-progress: true 12 | jobs: 13 | deb: 14 | runs-on: ubuntu-latest 15 | strategy: 16 | fail-fast: false 17 | matrix: 18 | container: 19 | - "debian:bookworm" 20 | - "ubuntu:jammy" 21 | - "ubuntu:noble" 22 | steps: 23 | - uses: actions/checkout@v4 24 | with: 25 | submodules: recursive 26 | - name: Generate variables 27 | id: gen_vars 28 | run: | 29 | XEN_COMMIT=$(git ls-tree HEAD xen | cut -f3 '-d ' | cut -f1 -d$'\t') 30 | echo "Xen commit: $XEN_COMMIT" 31 | echo xen_commit=${XEN_COMMIT} >> $GITHUB_OUTPUT 32 | CONTAINER=$(echo ${{ matrix.container }} | tr -d ":") 33 | echo "container=$CONTAINER" >> $GITHUB_OUTPUT 34 | DRAKVUFVERSION=$(./scripts/version.sh --dev) 35 | echo "DRAKVUF version: $DRAKVUFVERSION" 36 | echo "drakvufversion=$DRAKVUFVERSION" >> $GITHUB_OUTPUT 37 | XENVERSION=$(./xen/version.sh --full ./xen/xen/Makefile) 38 | echo "Xen version: $XENVERSION" 39 | echo "xenversion=$XENVERSION" >> $GITHUB_OUTPUT 40 | - name: Cache Xen intermediate 41 | uses: actions/cache@v4 42 | with: 43 | path: | 44 | package/cache 45 | key: xen-${{ matrix.container }}-${{ steps.gen_vars.outputs.xen_commit }}-v7 46 | - name: Build package 47 | id: build_drakvuf_deb 48 | run: | 49 | sh package/build.sh "${{ matrix.container }}" "${{ steps.gen_vars.outputs.drakvufversion }}" "${{ steps.gen_vars.outputs.xenversion }}" 50 | DRAKVUF_DEB_PATH=$(find package/out/drakvuf*.deb | head -n1) 51 | XEN_DEB_PATH=$(find package/out/xen*.deb | head -n1) 52 | if [ ! -z $DRAKVUF_DEB_PATH ]; then 53 | cp $DRAKVUF_DEB_PATH ${{ github.workspace}} 54 | fi 55 | if [ ! -z $XEN_DEB_PATH ]; then 56 | cp $XEN_DEB_PATH ${{ github.workspace }} 57 | fi 58 | - uses: actions/upload-artifact@v4 59 | with: 60 | name: ${{ steps.gen_vars.outputs.container }}-debs 61 | path: ${{ github.workspace }}/*.deb 62 | 63 | release: 64 | needs: [deb] 65 | runs-on: ubuntu-latest 66 | if: github.event_name == 'push' && github.ref == 'refs/heads/main' 67 | steps: 68 | - uses: actions/download-artifact@v4 69 | - name: Generate variables 70 | id: gen_vars 71 | run: | 72 | echo short_sha=$(echo ${GITHUB_SHA} | cut -c1-8) >> $GITHUB_OUTPUT 73 | echo cur_datetime=$(date '+%Y-%m-%d %H:%M:%S') >> $GITHUB_OUTPUT 74 | 75 | - name: Delete old release 76 | uses: dev-drprasad/delete-older-releases@5494cd8b61c31b3c7a15f6267901195ec7df64e8 # pin 0.3.2 77 | env: 78 | GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} 79 | with: 80 | repo: tklengyel/drakvuf-builds 81 | keep_latest: 0 82 | delete_tags: true 83 | 84 | - name: Create a Release 85 | env: 86 | GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} 87 | run: | 88 | release_tag="build-${{ github.sha }}" 89 | title="DRAKVUF ${{ steps.gen_vars.outputs.cur_datetime }} ${{ steps.gen_vars.outputs.short_sha }}" 90 | gh release create $release_tag --notes "Automated build" -R tklengyel/drakvuf-builds -t "$title" 91 | for deb in $(find . -name "*.deb"); do 92 | gh release upload $release_tag $deb -R tklengyel/drakvuf-builds 93 | done 94 | 95 | install: 96 | needs: [deb] 97 | runs-on: ubuntu-latest 98 | strategy: 99 | fail-fast: false 100 | matrix: 101 | container: 102 | - "debian:bookworm" 103 | - "ubuntu:jammy" 104 | - "ubuntu:noble" 105 | container: 106 | image: ${{ matrix.container}} 107 | steps: 108 | - uses: actions/checkout@v4 109 | 110 | - id: gen_vars 111 | run: | 112 | CONTAINER=$(echo ${{ matrix.container }} | tr -d ":") 113 | echo "container=$CONTAINER" >> $GITHUB_OUTPUT 114 | 115 | - uses: actions/download-artifact@v4 116 | with: 117 | name: ${{ steps.gen_vars.outputs.container }}-debs 118 | path: ~/debs 119 | 120 | - name: install 121 | run: ./scripts/install.sh ~/debs 122 | 123 | registry: 124 | needs: [deb] 125 | runs-on: ubuntu-latest 126 | if: github.event_name == 'push' && github.ref == 'refs/heads/main' 127 | steps: 128 | - uses: actions/checkout@v4 129 | 130 | - name: Set up Docker Buildx 131 | uses: docker/setup-buildx-action@v3 132 | 133 | - name: Login to Docker Hub 134 | uses: docker/login-action@v3 135 | with: 136 | username: ${{ secrets.DOCKERHUB_USERNAME }} 137 | password: ${{ secrets.DOCKERHUB_TOKEN }} 138 | 139 | - uses: actions/download-artifact@v4 140 | with: 141 | name: debianbookworm-debs 142 | path: debs 143 | 144 | - name: remove xen 145 | run: rm debs/*xen* 146 | 147 | - name: Build and push 148 | uses: docker/build-push-action@v5 149 | with: 150 | context: . 151 | file: package/Dockerfile-registry 152 | push: true 153 | tags: tklengyel/drakvuf:latest 154 | cache-from: type=gha 155 | cache-to: type=gha,mode=max 156 | -------------------------------------------------------------------------------- /.github/workflows/scorecards.yml: -------------------------------------------------------------------------------- 1 | # This workflow uses actions that are not certified by GitHub. They are provided 2 | # by a third-party and are governed by separate terms of service, privacy 3 | # policy, and support documentation. 4 | 5 | name: Scorecards supply-chain security 6 | on: 7 | # For Branch-Protection check. Only the default branch is supported. See 8 | # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection 9 | branch_protection_rule: 10 | # To guarantee Maintained check is occasionally updated. See 11 | # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained 12 | schedule: 13 | - cron: '33 12 * * 2' 14 | push: 15 | branches: [ "main" ] 16 | 17 | # Declare default permissions as read only. 18 | permissions: read-all 19 | 20 | jobs: 21 | analysis: 22 | name: Scorecards analysis 23 | runs-on: ubuntu-latest 24 | permissions: 25 | # Needed to upload the results to code-scanning dashboard. 26 | security-events: write 27 | # Needed to publish results and get a badge (see publish_results below). 28 | id-token: write 29 | # Uncomment the permissions below if installing in a private repository. 30 | # contents: read 31 | # actions: read 32 | 33 | steps: 34 | - name: "Checkout code" 35 | uses: actions/checkout@v4 36 | with: 37 | persist-credentials: false 38 | 39 | - name: "Run analysis" 40 | uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 41 | with: 42 | results_file: results.sarif 43 | results_format: sarif 44 | # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: 45 | # - you want to enable the Branch-Protection check on a *public* repository, or 46 | # - you are installing Scorecards on a *private* repository 47 | # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. 48 | # repo_token: ${{ secrets.SCORECARD_TOKEN }} 49 | 50 | # Public repositories: 51 | # - Publish results to OpenSSF REST API for easy access by consumers 52 | # - Allows the repository to include the Scorecard badge. 53 | # - See https://github.com/ossf/scorecard-action#publishing-results. 54 | # For private repositories: 55 | # - `publish_results` will always be set to `false`, regardless 56 | # of the value entered here. 57 | publish_results: true 58 | 59 | # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF 60 | # format to the repository Actions tab. 61 | - name: "Upload artifact" 62 | uses: actions/upload-artifact@v4 63 | with: 64 | name: SARIF file 65 | path: results.sarif 66 | retention-days: 5 67 | 68 | # Upload the results to GitHub's code scanning dashboard. 69 | - name: "Upload to code-scanning" 70 | uses: github/codeql-action/upload-sarif@v3 71 | with: 72 | sarif_file: results.sarif 73 | -------------------------------------------------------------------------------- /.github/workflows/whitespace.yml: -------------------------------------------------------------------------------- 1 | name: whitespace 2 | on: 3 | pull_request: 4 | branches: [ main ] 5 | permissions: 6 | contents: read 7 | jobs: 8 | whitespace: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v4 12 | - name: check 13 | run: | 14 | git remote add upstream https://github.com/$GITHUB_REPOSITORY 15 | git fetch upstream 16 | git diff --check upstream/main 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Object files 2 | *.o 3 | *.ko 4 | *.obj 5 | *.elf 6 | *.Po 7 | 8 | # Libraries 9 | **/*.lib 10 | **/*.a 11 | **/*.la 12 | **/*.lax 13 | **/*.lo 14 | **/*.Plo 15 | 16 | # autoconf/automake 17 | configure 18 | **/Makefile 19 | **/Makefile.in 20 | autom4te.cache/* 21 | compile 22 | aclocal.m4 23 | config.* 24 | depcomp 25 | install-sh 26 | missing 27 | stamp-h1 28 | **/*.deps 29 | **/*.libs 30 | **/*.dirstamp 31 | **/*.save 32 | **/*.swp 33 | **/*.rej 34 | 35 | # check unit tests files 36 | **/*.log 37 | **/*.trs 38 | *check 39 | 40 | # drakvuf binaries 41 | drakvuf 42 | injector 43 | xen_memclone 44 | proc_stat 45 | repl 46 | xtf 47 | 48 | libtool 49 | ltmain.sh 50 | m4/*.m4 51 | src/dirwatch/dirwatch 52 | src/dirwatch/distributor 53 | src/helpers/hiddump/hiddump 54 | test-drive 55 | ylwrap 56 | 57 | # librepl 58 | src/librepl/libdrakvuf.py 59 | 60 | # meson 61 | build/* 62 | clang_output* 63 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "xen"] 2 | path = xen 3 | url = https://github.com/xen-project/xen 4 | ignore = dirty 5 | [submodule "libvmi"] 6 | path = libvmi 7 | url = https://github.com/libvmi/libvmi 8 | ignore = dirty 9 | [submodule "volatility3"] 10 | path = volatility3 11 | url = https://github.com/volatilityfoundation/volatility3 12 | ignore = dirty 13 | [submodule "dwarf2json"] 14 | path = dwarf2json 15 | url = https://github.com/tklengyel/dwarf2json 16 | ignore = dirty 17 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | #********************IMPORTANT DRAKVUF LICENSE TERMS**********************# 2 | # # 3 | # DRAKVUF (C) 2014-2024 Tamas K Lengyel. # 4 | # Tamas K Lengyel is hereinafter referred to as the author. # 5 | # This program is free software; you may redistribute and/or modify it # 6 | # under the terms of the GNU General Public License as published by the # 7 | # Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE # 8 | # CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your # 9 | # right to use, modify, and redistribute this software under certain # 10 | # conditions. If you wish to embed DRAKVUF technology into proprietary # 11 | # software, alternative licenses can be aquired from the author. # 12 | # # 13 | # Note that the GPL places important restrictions on "derivative works", # 14 | # yet it does not provide a detailed definition of that term. To avoid # 15 | # misunderstandings, we interpret that term as broadly as copyright law # 16 | # allows. For example, we consider an application to constitute a # 17 | # derivative work for the purpose of this license if it does any of the # 18 | # following with any software or content covered by this license # 19 | # ("Covered Software"): # 20 | # # 21 | # o Integrates source code from Covered Software. # 22 | # # 23 | # o Reads or includes copyrighted data files. # 24 | # # 25 | # o Is designed specifically to execute Covered Software and parse the # 26 | # results (as opposed to typical shell or execution-menu apps, which will # 27 | # execute anything you tell them to). # 28 | # # 29 | # o Includes Covered Software in a proprietary executable installer. The # 30 | # installers produced by InstallShield are an example of this. Including # 31 | # DRAKVUF with other software in compressed or archival form does not # 32 | # trigger this provision, provided appropriate open source decompression # 33 | # or de-archiving software is widely available for no charge. For the # 34 | # purposes of this license, an installer is considered to include Covered # 35 | # Software even if it actually retrieves a copy of Covered Software from # 36 | # another source during runtime (such as by downloading it from the # 37 | # Internet). # 38 | # # 39 | # o Links (statically or dynamically) to a library which does any of the # 40 | # above. # 41 | # # 42 | # o Executes a helper program, module, or script to do any of the above. # 43 | # # 44 | # This list is not exclusive, but is meant to clarify our interpretation # 45 | # of derived works with some common examples. Other people may interpret # 46 | # the plain GPL differently, so we consider this a special exception to # 47 | # the GPL that we apply to Covered Software. Works which meet any of # 48 | # these conditions must conform to all of the terms of this license, # 49 | # particularly including the GPL Section 3 requirements of providing # 50 | # source code and allowing free redistribution of the work as a whole. # 51 | # # 52 | # Any redistribution of Covered Software, including any derived works, # 53 | # must obey and carry forward all of the terms of this license, including # 54 | # obeying all GPL rules and restrictions. For example, source code of # 55 | # the whole work must be provided and free redistribution must be # 56 | # allowed. All GPL references to "this License", are to be treated as # 57 | # including the terms and conditions of this license text as well. # 58 | # # 59 | # Because this license imposes special exceptions to the GPL, Covered # 60 | # Work may not be combined (even as part of a larger work) with plain GPL # 61 | # software. The terms, conditions, and exceptions of this license must # 62 | # be included as well. This license is incompatible with some other open # 63 | # source licenses as well. In some cases we can relicense portions of # 64 | # DRAKVUF or grant special permissions to use it in other open source # 65 | # software. Please contact tamas.k.lengyel@gmail.com with any such # 66 | # requests. Similarly, we don't incorporate incompatible open source # 67 | # software into Covered Software without special permission from the # 68 | # copyright holders. # 69 | # # 70 | # If you have any questions about the licensing restrictions on using # 71 | # DRAKVUF in other works, are happy to help. As mentioned above, # 72 | # alternative license can be requested from the author to integrate # 73 | # DRAKVUF into proprietary applications and appliances. Please email # 74 | # tamas.k.lengyel@gmail.com for further information. # 75 | # # 76 | # If you have received a written license agreement or contract for # 77 | # Covered Software stating terms other than these, you may choose to use # 78 | # and redistribute Covered Software under those terms instead of these. # 79 | # # 80 | # Source is provided to this software because we believe users have a # 81 | # right to know exactly what a program is going to do before they run it. # 82 | # This also allows you to audit the software for security holes. # 83 | # # 84 | # Source code also allows you to port DRAKVUF to new platforms, fix bugs, # 85 | # and add new features. You are highly encouraged to submit your changes # 86 | # on https://github.com/tklengyel/drakvuf, or by other methods. # 87 | # By sending these changes, it is understood (unless you specify # 88 | # otherwise) that you are offering unlimited, non-exclusive right to # 89 | # reuse, modify, and relicense the code. DRAKVUF will always be # 90 | # available Open Source, but this is important because the inability to # 91 | # relicense code has caused devastating problems for other Free Software # 92 | # projects (such as KDE and NASM). # 93 | # To specify special license conditions of your contributions, just say # 94 | # so when you send them. # 95 | # # 96 | # This program is distributed in the hope that it will be useful, but # 97 | # WITHOUT ANY WARRANTY; without even the implied warranty of # 98 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF # 99 | # license file for more details (it's in a COPYING file included with # 100 | # DRAKVUF, and also available from # 101 | # https://github.com/tklengyel/drakvuf/COPYING) # 102 | # # 103 | #*************************************************************************# 104 | 105 | ACLOCAL_AMFLAGS = --install -I m4 106 | SUBDIRS = src 107 | EXTRA_DIST = autogen.sh 108 | EXTRA_DIST += scripts/wrap-compiler-for-flag-check 109 | EXTRA_DIST += tools/* 110 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DRAKVUF© 2 | 3 | 4 | [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/6836/badge)](https://bestpractices.coreinfrastructure.org/projects/6836) 5 | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/tklengyel/drakvuf/badge)](https://api.securityscorecards.dev/projects/github.com/tklengyel/drakvuf) 6 | [![ci](https://github.com/tklengyel/drakvuf/actions/workflows/ci.yml/badge.svg)](https://github.com/tklengyel/drakvuf/actions/workflows/ci.yml) 7 | [![Coverity](https://scan.coverity.com/projects/3238/badge.svg)](https://scan.coverity.com/projects/tklengyel-drakvuf) 8 | 9 | ## Introduction 10 | 11 | DRAKVUF is a virtualization based agentless black-box binary analysis system. DRAKVUF 12 | allows for in-depth execution tracing of arbitrary binaries (including operating 13 | systems), all without having to install any special software within the virtual machine 14 | used for analysis. 15 | 16 | ## Hardware requirements 17 | 18 | DRAKVUF uses hardware virtualization extensions found in Intel CPUs. You will need an 19 | Intel CPU with virtualization support (VT-x) and with Extended Page Tables (EPT). DRAKVUF 20 | is not going to work on any other CPUs (such as AMD) or on Intel CPUs without the 21 | required virtualization extensions. 22 | 23 | ## Supported guests 24 | 25 | DRAKVUF currently supports: 26 | - Windows 7 - 8, both 32 and 64-bit 27 | - Windows 10 64-bit 28 | - Linux 2.6.x - 6.x, both 32-bit and 64-bit 29 | 30 | ## Pre-built Debian packages 31 | 32 | You can find pre-built Debian packages of the latest DRAKVUF builds at 33 | https://github.com/tklengyel/drakvuf-builds/releases 34 | 35 | ## Malware analysis 36 | 37 | DRAKVUF provides a perfect platform for stealthy malware analysis as its footprint is 38 | nearly undectebable from the malware's perspective. While DRAKVUF has been mainly 39 | developed with malware analysis in mind, it is certainly not limited to that task as it 40 | can be used to monitor the execution of anything that executes within a VM, including 41 | firmware, OS kernels and user-space processes. 42 | 43 | ## Graphical frontend 44 | 45 | If you would like a full-featured DRAKVUF GUI to setup as automated analysis sandbox, check out the 46 | [DRAKVUF Sandbox project](https://github.com/CERT-Polska/drakvuf-sandbox). 47 | 48 | ## Installation steps 49 | 50 | Installation steps can be found on the project website: [https://drakvuf.com](https://drakvuf.com) 51 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported Versions 4 | 5 | | Version | Supported | 6 | | ------- | ------------------ | 7 | | 1.1.x | :white_check_mark: | 8 | | 1.0.x | :white_check_mark: | 9 | | < 0.8.x | :x: | 10 | 11 | ## Reporting a Vulnerability 12 | 13 | Please report security vulnerabilities privately through Github Security Advisory at https://github.com/tklengyel/drakvuf/security/advisories. 14 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | autoreconf -vif 3 | -------------------------------------------------------------------------------- /ci/dll-hooks-list: -------------------------------------------------------------------------------- 1 | # DLL hooks list for tests on DRAKVUF CI 2 | user32.dll,CharLowerA,log+stack,lpstr 3 | user32.dll,SetRect,log+stack,lprect,int,int,int,int -------------------------------------------------------------------------------- /ci/syscalls.txt: -------------------------------------------------------------------------------- 1 | NtReadVirtualMemory 2 | NtCallbackReturn 3 | NtYieldExecution 4 | NtAdjustGroupsToken 5 | NtSetTimer2 6 | NtWaitForWorkViaWorkerFactory 7 | NtQuerySystemInformation 8 | NtOpenFile 9 | NtSetTimer 10 | NtClose 11 | NtOpenProcess 12 | NtOpenKey 13 | NtOpenKeyEx 14 | NtSetEvent 15 | -------------------------------------------------------------------------------- /llvm.ini: -------------------------------------------------------------------------------- 1 | [binaries] 2 | c = 'clang' 3 | cpp = 'clang++' 4 | c_ld = 'lld' 5 | cpp_ld = 'lld' 6 | ar = 'llvm-ar' 7 | as = 'llvm-as' 8 | size = 'llvm-size' 9 | objdump = 'llvm-objdump' 10 | objcopy = 'llvm-objcopy' 11 | -------------------------------------------------------------------------------- /m4/ax_require_defined.m4: -------------------------------------------------------------------------------- 1 | # =========================================================================== 2 | # https://www.gnu.org/software/autoconf-archive/ax_require_defined.html 3 | # =========================================================================== 4 | # 5 | # SYNOPSIS 6 | # 7 | # AX_REQUIRE_DEFINED(MACRO) 8 | # 9 | # DESCRIPTION 10 | # 11 | # AX_REQUIRE_DEFINED is a simple helper for making sure other macros have 12 | # been defined and thus are available for use. This avoids random issues 13 | # where a macro isn't expanded. Instead the configure script emits a 14 | # non-fatal: 15 | # 16 | # ./configure: line 1673: AX_CFLAGS_WARN_ALL: command not found 17 | # 18 | # It's like AC_REQUIRE except it doesn't expand the required macro. 19 | # 20 | # Here's an example: 21 | # 22 | # AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG]) 23 | # 24 | # LICENSE 25 | # 26 | # Copyright (c) 2014 Mike Frysinger 27 | # 28 | # Copying and distribution of this file, with or without modification, are 29 | # permitted in any medium without royalty provided the copyright notice 30 | # and this notice are preserved. This file is offered as-is, without any 31 | # warranty. 32 | 33 | #serial 2 34 | 35 | AC_DEFUN([AX_REQUIRE_DEFINED], [dnl 36 | m4_ifndef([$1], [m4_fatal([macro ]$1[ is not defined; is a m4 file missing?])]) 37 | ])dnl AX_REQUIRE_DEFINED 38 | -------------------------------------------------------------------------------- /meson_options.txt: -------------------------------------------------------------------------------- 1 | option('hardening', type : 'boolean', value : true) 2 | option('ipt', type : 'boolean', value : true) 3 | 4 | option('release', type : 'boolean', value : false) 5 | option('xtf', type : 'boolean', value : 'false') 6 | option('repl', type : 'boolean', value : 'false') 7 | option('threadsafety', type : 'boolean', value : 'false') 8 | option('coverage', type : 'boolean', value : 'false') 9 | option('disable-output-buffering', type : 'boolean', value : 'false') 10 | 11 | option('plugin-syscalls', type : 'boolean', value : true) 12 | option('plugin-poolmon', type : 'boolean', value : true) 13 | option('plugin-filetracer', type : 'boolean', value : true) 14 | option('plugin-fileextractor', type : 'boolean', value : true) 15 | option('plugin-objmon', type : 'boolean', value : true) 16 | option('plugin-exmon', type : 'boolean', value : true) 17 | option('plugin-ssdtmon', type : 'boolean', value : true) 18 | option('plugin-cpuidmon', type : 'boolean', value : true) 19 | option('plugin-debugmon', type : 'boolean', value : true) 20 | option('plugin-socketmon', type : 'boolean', value : true) 21 | option('plugin-regmon', type : 'boolean', value : true) 22 | option('plugin-procmon', type : 'boolean', value : true) 23 | option('plugin-bsodmon', type : 'boolean', value : true) 24 | option('plugin-envmon', type : 'boolean', value : true) 25 | option('plugin-crashmon', type : 'boolean', value : true) 26 | option('plugin-clipboardmon', type : 'boolean', value : true) 27 | option('plugin-windowmon', type : 'boolean', value : true) 28 | option('plugin-librarymon', type : 'boolean', value : true) 29 | option('plugin-dkommon', type : 'boolean', value : true) 30 | option('plugin-procdump', type : 'boolean', value : true) 31 | option('plugin-apimon', type : 'boolean', value : true) 32 | option('plugin-rpcmon', type : 'boolean', value : true) 33 | option('plugin-tlsmon', type : 'boolean', value : true) 34 | option('plugin-codemon', type : 'boolean', value : true) 35 | option('plugin-exploitmon', type : 'boolean', value : true) 36 | option('plugin-rootkitmon', type : 'boolean', value : true) 37 | option('plugin-spraymon', type : 'boolean', value : true) 38 | option('plugin-hidsim', type : 'boolean', value : true) 39 | option('plugin-callbackmon', type : 'boolean', value : true) 40 | option('plugin-delaymon', type : 'boolean', value : true) 41 | option('plugin-memdump', type : 'boolean', value : true) 42 | option('plugin-hidevm', type : 'boolean', value : true) 43 | option('plugin-ptracemon', type : 'boolean', value : true) 44 | option('plugin-ebpfmon', type : 'boolean', value : true) 45 | option('plugin-memaccessmon', type : 'boolean', value : true) 46 | option('plugin-unixsocketmon', type : 'boolean', value : true) 47 | option('plugin-etwmon', type : 'boolean', value : true) 48 | option('plugin-ipt', type : 'boolean', value : true) 49 | option('plugin-rebootmon', type : 'boolean', value : true) 50 | option('plugin-linkmon', type : 'boolean', value : true) 51 | option('plugin-procdump2', type : 'boolean', value : true) 52 | 53 | # Disabled by default plugins 54 | option('plugin-libhooktest', type : 'boolean', value : 'false') 55 | 56 | # Deprecated plugins 57 | option('plugin-wmimon', type : 'boolean', value : 'false') 58 | option('plugin-filedelete', type : 'boolean', value : 'false') 59 | -------------------------------------------------------------------------------- /package/.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "drakvuf"] 2 | path = drakvuf 3 | url = https://github.com/tklengyel/drakvuf.git 4 | -------------------------------------------------------------------------------- /package/Dockerfile-final: -------------------------------------------------------------------------------- 1 | FROM xen-intermediate 2 | 3 | COPY . /build 4 | RUN cd /build/dwarf2json && \ 5 | /usr/local/go/bin/go build 6 | RUN export INSTALL_PATH="/build/usr" && \ 7 | cd /build/libvmi && \ 8 | autoreconf -vif && \ 9 | ./configure --prefix=$INSTALL_PATH --disable-static --disable-kvm --disable-file --disable-bareflank --disable-safety-checks --enable-vmi-debug && \ 10 | make -j$(nproc) && \ 11 | make install && \ 12 | rm /build/usr/lib/libvmi.la && \ 13 | ldconfig 14 | RUN export INSTALL_PATH="/build/usr" && \ 15 | export DESTDIR="/build" && \ 16 | export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$INSTALL_PATH/lib" && \ 17 | export C_INCLUDE_PATH="$INSTALL_PATH/include" && \ 18 | export CPLUS_INCLUDE_PATH="$INSTALL_PATH/include" && \ 19 | export LDFLAGS="-L$INSTALL_PATH/lib" && \ 20 | export CFLAGS="-I$INSTALL_PATH/include" && \ 21 | cd /build && \ 22 | ldconfig && \ 23 | meson setup build --native-file llvm.ini --prefix "/usr" --pkg-config-path "$INSTALL_PATH/lib/pkgconfig" && \ 24 | ninja -C build install 25 | 26 | WORKDIR /build 27 | RUN chmod +x package/mkdeb 28 | CMD ./package/mkdeb 29 | -------------------------------------------------------------------------------- /package/Dockerfile-registry: -------------------------------------------------------------------------------- 1 | FROM debian:bullseye 2 | 3 | ENV DEBIAN_FRONTEND=noninteractive 4 | ENV USER root 5 | 6 | COPY ./debs/*.deb /tmp 7 | COPY ./package/extra/etc/ld.so.conf.d/host.conf /etc/ld.so.conf.d 8 | 9 | RUN apt-get update 10 | RUN apt-get --yes install nano wget git curl openssh-client && apt-get clean 11 | RUN dpkg -i /tmp/*.deb || : && \ 12 | apt-get -f --yes install && \ 13 | rm /tmp/*.deb 14 | 15 | RUN ldconfig 16 | 17 | CMD /bin/bash 18 | -------------------------------------------------------------------------------- /package/Dockerfile-xen: -------------------------------------------------------------------------------- 1 | ARG IMAGE 2 | FROM $IMAGE 3 | 4 | ENV DEBIAN_FRONTEND=noninteractive 5 | ENV USER root 6 | 7 | COPY package/depends.sh /tmp/depends.sh 8 | 9 | # build depends 10 | RUN mkdir -p /log && \ 11 | sh /tmp/depends.sh 12 | 13 | COPY xen /build-xen 14 | COPY package/configure-xen.sh /build-xen 15 | RUN cd /build-xen && \ 16 | chmod +x configure-xen.sh && \ 17 | ./configure-xen.sh && \ 18 | echo "Building Xen, this may take a few minutes..." && \ 19 | make -j$(nproc) dist-xen && \ 20 | make -j$(nproc) dist-tools && \ 21 | echo "Install Xen..." && \ 22 | make -j$(nproc) install-xen && \ 23 | make -j$(nproc) install-tools && \ 24 | mv /build-xen/dist/install /dist-xen && \ 25 | mkdir -p /dist-xen/usr/share/doc/xen && \ 26 | mv /build-xen/LICENSES/* /dist-xen/usr/share/doc/xen && \ 27 | rm -rf /build-xen 28 | -------------------------------------------------------------------------------- /package/README.md: -------------------------------------------------------------------------------- 1 | # DRAKVUF DEB Package builder 2 | 3 | ## Design 4 | The build process uses Docker to ensure some level of build reproducibility, agnostic from the particular type of Continous Integration being used. During the process, two Docker images are built: 5 | 6 | * `Docker-xen` - intermediate, heavy image that contains all required build dependencies and Xen instalation; it should be cached and it is rebuilt only if the Xen submodule hash was changed 7 | * `Docker-final` - the image that inherits from the previous one, installs LibVMI&DRAKVUF and does final packaging to `.deb` and `.tar.gz`. 8 | 9 | 10 | ## Manual run 11 | If you have Docker, you can run the build process manually, even on your own computer. 12 | 13 | ``` 14 | # sh package/build.sh 15 | ``` 16 | 17 | The built package should appear in `package/out` directory. 18 | -------------------------------------------------------------------------------- /package/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # run ./package/build.sh 4 | 5 | IMAGE="ubuntu:22.04" 6 | DRAKVUFVERSION=$2 7 | XENVERSION=$3 8 | 9 | if [ ! -z "$1" ] 10 | then 11 | IMAGE="$1" 12 | echo "Overriding base image for build to: $IMAGE" 13 | shift 14 | fi 15 | 16 | XEN_HASH=$(git ls-files -s xen | cut -f2 '-d ') 17 | 18 | mkdir -p package/cache 19 | mkdir -p package/log 20 | 21 | if [ ! -f "package/cache/xen-intermediate-$IMAGE-$XEN_HASH.tar.gz" ] 22 | then 23 | echo Building Xen intermediate $XEN_HASH... 24 | 25 | DOCKER_CMD="docker build --build-arg 'IMAGE=$IMAGE' -f package/Dockerfile-xen -t xen-intermediate ." 26 | sh -c "$DOCKER_CMD" 27 | 28 | if [ $? -ne 0 ]; then echo Xen intermediate image build failed, build log tail below ; tail -n 200 package/log/xen-build.log ; exit 1 ; fi 29 | 30 | echo Removing old Xen intermediate image... 31 | rm -f package/cache/xen-intermediate-*.tar.gz 32 | echo Saving Xen intermediate... 33 | 34 | docker save xen-intermediate | gzip -c > "package/cache/xen-intermediate-$IMAGE-$XEN_HASH.tar.gz" 35 | 36 | if [ $? -ne 0 ]; then echo Failed to save Xen intermediate image ; rm package/cache/xen-intermediate-*.tar.gz ; exit 1 ; fi 37 | else 38 | echo Loading cached Xen intermediate $IMAGE-$XEN_HASH... 39 | docker load < "package/cache/xen-intermediate-$IMAGE-$XEN_HASH.tar.gz" 40 | if [ $? -ne 0 ]; then echo Failed to load Xen intermediate image ; exit 1 ; fi 41 | fi 42 | 43 | echo "Building final image..." 44 | docker build -f package/Dockerfile-final -t deb-build . && docker run -v $(pwd)/package/out:/out deb-build ./package/mkdeb $IMAGE $DRAKVUFVERSION $XENVERSION 45 | if [ $? -ne 0 ]; then echo Failed to build package ; exit 1 ; fi 46 | -------------------------------------------------------------------------------- /package/configure-xen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## Disabling OVMF build due to github actions breakage: 4 | ## fatal: could not read Username for 'https://github.com': No such device or address 5 | 6 | # Building OVMF is broken with gcc-11 (default on jammy) 7 | # Unfortunately we can't just set CC in the environment because the edk2 build system is insane 8 | # gcc-9 is not available on bookworm so there we build with no ovmf at all 9 | 10 | OVMF="" 11 | #GCC_VERSION=$(gcc --version | head -n1 | awk '{ print $4 }' | awk -F'.' '{ print $1 }') 12 | #if [ ${GCC_VERSION} -gt 9 ] && [ -f /usr/bin/gcc-9 ]; then 13 | # rm /usr/bin/gcc 14 | # ln -s /usr/bin/gcc-9 /usr/bin/gcc 15 | # OVMF="--enable-ovmf" 16 | #fi 17 | 18 | ./configure --prefix=/usr --enable-githttp \ 19 | --disable-pvshim --disable-werror \ 20 | --with-extra-qemuu-configure-args="--disable-werror --disable-sdl" \ 21 | --enable-systemd $OVMF 22 | 23 | echo CONFIG_EXPERT=y > xen/.config 24 | echo CONFIG_MEM_SHARING=y >> xen/.config 25 | make -C xen olddefconfig 26 | 27 | exit 0 28 | -------------------------------------------------------------------------------- /package/depends.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | apt-get update 6 | apt-get install -y lsb-release patch 7 | 8 | SYSTEM=$(lsb_release -is) 9 | DISTRIBUTION=$(lsb_release -cs) 10 | 11 | if [ "$SYSTEM" = "Debian" ] 12 | then 13 | echo "deb-src http://deb.debian.org/debian ${DISTRIBUTION} main" >> /etc/apt/sources.list 14 | else 15 | if [ "$DISTRIBUTION" = "noble" ]; then 16 | sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources 17 | else 18 | sed -i 's/# deb-src/deb-src/g' /etc/apt/sources.list 19 | fi 20 | fi 21 | 22 | apt-get update 23 | apt-get --quiet --yes install build-essential git wget curl cmake flex bison \ 24 | libjson-c-dev autoconf-archive clang python3-dev libsystemd-dev nasm bc \ 25 | libx11-dev ninja-build python3-pip meson llvm lld zlib1g-dev python3-tomli 26 | 27 | if [ $(apt-cache show gcc-9 2>/dev/null | wc -l) -gt 0 ]; then 28 | apt-get --quiet --yes install gcc-9 29 | fi 30 | 31 | wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz -O /usr/local/go1.21.6.linux-amd64.tar.gz 32 | tar -C /usr/local -xzf /usr/local/go1.21.6.linux-amd64.tar.gz 33 | 34 | HAS_PYTHON_IS_PYTHON=$(apt-cache search --names-only '^python-is-python2$') 35 | 36 | if [ ! -z "$HAS_PYTHON_IS_PYTHON" ] 37 | then 38 | apt-get --quiet --yes install python-is-python2 39 | fi 40 | 41 | # libgnutls28 is required for the password-protected VNC to work in Xen 4.16+. 42 | # See: https://bugs.gentoo.org/832494 43 | apt-get install -y libgnutls28-dev 44 | apt-get --quiet --yes build-dep xen 45 | apt-get autoremove -y 46 | apt-get clean 47 | 48 | rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/* 49 | -------------------------------------------------------------------------------- /package/extra/etc/default/grub.d/xen.cfg: -------------------------------------------------------------------------------- 1 | # 2 | # Uncomment the following variable and set to 0 or 1 to avoid warning. 3 | # 4 | #XEN_OVERRIDE_GRUB_DEFAULT=0 5 | 6 | echo "Including Xen overrides from /etc/default/grub.d/xen.cfg" 7 | echo "Using DRAKVUF-optimized settings for Xen" 8 | 9 | # 10 | # Uncomment the following lines in order to set Domain 0 CPU and memory 11 | # manually instead of using default auto-detected settings. 12 | # The more resources you dedicate to the host system, the less remains 13 | # to the guest systems in virtual machines. 14 | # 15 | # DRAK_DOM0_CPU=2 16 | # DRAK_DOM0_RAM=2048 17 | 18 | if command -v drak-find-xen-defaults >/dev/null 19 | then 20 | echo Detected that drakvuf-bundle is installed. 21 | else 22 | echo "\e[31mWARNING!\e[0m Looks like DRAKVUF bundle is not installed." 23 | echo "\e[31mWARNING!\e[0m Xen will be not configured to work with DRAKVUF" 24 | exit 0 25 | fi 26 | 27 | . drak-find-xen-defaults 28 | 29 | echo "------------------------------------------" 30 | echo "" 31 | echo "Resources dedicated to Dom0 (host system):" 32 | echo "-> CPU core(s): ${DRAK_DOM0_CPU}" 33 | echo "-> Memory: ${DRAK_DOM0_RAM} MB" 34 | echo "" 35 | echo "------------------------------------------" 36 | 37 | echo "You can edit these settings in /etc/default/grub.d/xen.cfg" 38 | 39 | # 40 | # When running update-grub with the Xen hypervisor installed, there are 41 | # some additional variables that can be used to pass options to the 42 | # hypervisor or the dom0 kernel. 43 | 44 | # The following two are used to generate arguments for the hypervisor: 45 | # 46 | GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=${DRAK_DOM0_RAM}M,max:${DRAK_DOM0_RAM}M dom0_max_vcpus=${DRAK_DOM0_CPU} dom0_vcpus_pin=1 force-ept=1 ept=ad=0 hap_1gb=0 hap_2mb=0 altp2m=1 hpet=legacy-replacement smt=0 sched=credit" 47 | #GRUB_CMDLINE_XEN="" 48 | # 49 | # For example: 50 | # 51 | # dom0_mem=[M]:max=[M] 52 | # Sets the amount of memory dom0 uses (max prevents balloning for more) 53 | # com[12]=, 54 | # Initialize a serial console from in the hypervisor (eg. 115200,8n1) 55 | # Note that com1 would be ttyS0 in Linux. 56 | # console=[, ...] 57 | # Redirects Xen hypervisor console (eg. com1,vga) 58 | 59 | # 60 | # The next two lines are used for creating kernel arguments for the dom0 61 | # kernel. This allows to have different options for the same kernel used 62 | # natively or as dom0 kernel. 63 | # 64 | GRUB_CMDLINE_LINUX_XEN_REPLACE_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet splash nomodeset" 65 | #GRUB_CMDLINE_LINUX_XEN_REPLACE="$GRUB_CMDLINE_LINUX" 66 | # 67 | # For example: 68 | # 69 | # earlyprintk=xenboot 70 | # Allows to send early printk messages to the Xen hypervisor console 71 | # console=hvc0 72 | # Redirects the Linux console to the hypervisor console 73 | 74 | # 75 | # Make booting into Xen the default if not changed above. Finding the 76 | # current string for it always has been a problem. 77 | # 78 | if [ "$XEN_OVERRIDE_GRUB_DEFAULT" = "" ]; then 79 | echo "WARNING: GRUB_DEFAULT changed to boot into Xen by default!" 80 | echo " Edit /etc/default/grub.d/xen.cfg to avoid this warning." 81 | XEN_OVERRIDE_GRUB_DEFAULT=1 82 | fi 83 | if [ "$XEN_OVERRIDE_GRUB_DEFAULT" = "1" ]; then 84 | GRUB_DEFAULT=$( \ 85 | printf "$(gettext "%s, with Xen hypervisor")" \ 86 | "$GRUB_DISTRIBUTOR GNU/Linux") 87 | fi 88 | -------------------------------------------------------------------------------- /package/extra/etc/dnsmasq.conf: -------------------------------------------------------------------------------- 1 | port=53 2 | listen-address=10.0.0.1 3 | -------------------------------------------------------------------------------- /package/extra/etc/ld.so.conf.d/host.conf: -------------------------------------------------------------------------------- 1 | /host/usr/lib 2 | /host/usr/local/lib 3 | /host/usr/local/lib/xen 4 | -------------------------------------------------------------------------------- /package/extra/etc/modules-load.d/xen.conf: -------------------------------------------------------------------------------- 1 | # drakvuf-bundle 2 | 3 | xen-evtchn 4 | xen-privcmd 5 | xen-gntdev 6 | -------------------------------------------------------------------------------- /package/extra/usr/bin/drak-find-xen-defaults: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | IS_XEN=0 6 | xen-detect -N || IS_XEN=$? 7 | 8 | if [ $IS_XEN = 1 ] 9 | then 10 | DRAK_TOTAL_CPU=$(xl info | grep nr_cpus | cut -f2 '-d:' | xargs) 11 | DRAK_TOTAL_RAM=$(xl info | grep total_memory | cut -f2 '-d:' | xargs) 12 | else 13 | DRAK_TOTAL_CPU=$(nproc --all) 14 | DRAK_TOTAL_RAM=$(($(getconf _PHYS_PAGES) * $(getconf PAGE_SIZE) / (1024 * 1024))) 15 | fi 16 | 17 | if [ -z "$DRAK_DOM0_CPU" ] 18 | then 19 | if [ $IS_XEN = 1 ] 20 | then 21 | DRAK_TOTAL_CPU=$(xl info | grep nr_cpus | cut -f2 '-d:' | xargs) 22 | else 23 | DRAK_TOTAL_CPU=$(nproc --all) 24 | fi 25 | 26 | DRAK_DOM0_CPU=$(expr "$DRAK_TOTAL_CPU" / 2) 27 | fi 28 | 29 | if [ -z "$DRAK_DOM0_RAM" ] 30 | then 31 | if [ $IS_XEN = 1 ] 32 | then 33 | DRAK_TOTAL_RAM=$(xl info | grep total_memory | cut -f2 '-d:' | xargs) 34 | else 35 | DRAK_TOTAL_RAM=$(($(getconf _PHYS_PAGES) * $(getconf PAGE_SIZE) / (1024 * 1024))) 36 | fi 37 | 38 | DRAK_DOM0_RAM=$(expr "$DRAK_TOTAL_RAM" / 2) 39 | fi 40 | -------------------------------------------------------------------------------- /package/mkdeb: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # mkdeb: package the dist/install output of a Xen build in a .deb 4 | 5 | set -e 6 | 7 | distro=$(echo $1 | tr ":" "-") 8 | version="$2" 9 | xenversion="$3" 10 | 11 | if [ "$distro" = "" ] 12 | then 13 | distro=generic 14 | fi 15 | 16 | if [ "$version" = "" ] 17 | then 18 | echo "Specify DRAKVUF version" 19 | exit 1 20 | fi 21 | 22 | if [ "$xenversion" = "" ] 23 | then 24 | echo "Specify Xen version" 25 | exit 1 26 | fi 27 | 28 | arch=amd64 29 | 30 | ## BUILD XEN DEB 31 | 32 | # Prepare the directory to package 33 | cp -a /dist-xen deb 34 | 35 | # Debian doesn't use /usr/lib64 for 64-bit libraries 36 | if test -d deb/usr/lib64 ; then 37 | cp -a deb/usr/lib64/* deb/usr/lib/ 38 | rm -rf deb/usr/lib64 39 | fi 40 | 41 | # Fill in the debian boilerplate 42 | mkdir -p deb/DEBIAN 43 | cat >deb/DEBIAN/control < 49 | Depends: libpixman-1-0, libpng16-16, libnettle6 | libnettle7 | libnettle8, libgnutls30, libfdt1, libyajl2, libaio1 | libaio1t64, libncurses6, libc6, libtinfo6, libgnutls28-dev, systemd, lvm2 50 | Conflicts: xen-hypervisor-4.6-amd64, xen-hypervisor-4.7-amd64, xen-hypervisor-4.8-amd64, xen-hypervisor-4.9-amd64, xen-hypervisor-4.10-amd64, xen-hypervisor-4.11-amd64, xen-hypervisor-4.12-amd64, xen-hypervisor-4.13-amd64, xen-hypervisor-4.14-amd64, xen-hypervisor-4.15-amd64, xen-hypervisor-4.16-amd64, xen-hypervisor-4.17-amd64, xen-hypervisor-4.18-amd64 51 | Section: admin 52 | Priority: optional 53 | Installed-Size: $(du -ks deb | cut -f1) 54 | Description: Xen Hypervisor built for DRAKVUF 55 | EOF 56 | 57 | mkdir -p deb/etc/default/grub.d/ 58 | mkdir -p deb/etc/modules-load.d/ 59 | cp package/extra/etc/default/grub.d/xen.cfg deb/etc/default/grub.d/ 60 | cp package/extra/etc/modules-load.d/xen.conf deb/etc/modules-load.d/ 61 | cp package/extra/usr/bin/drak-find-xen-defaults deb/usr/bin/ 62 | 63 | # Find all /etc files and add them to conffiles 64 | find deb/etc -type f -printf /etc/%P\\n >deb/DEBIAN/conffiles 65 | cp package/postinst deb/DEBIAN/postinst 66 | cp package/postrm deb/DEBIAN/postrm 67 | 68 | # Package it up 69 | chown -R root:root deb 70 | dpkg-deb --build -z0 deb "xen-hypervisor-$xenversion-$distro-amd64.deb" 71 | mv *.deb /out 72 | rm -rf deb 73 | 74 | ## DRAKVUF, LibVMI & tools 75 | 76 | # Fill in the debian boilerplate 77 | mkdir -p deb/DEBIAN 78 | cat >deb/DEBIAN/control < 84 | Depends: libglib2.0-0, libjson-c3 | libjson-c4 | libjson-c5, python3, libx11-6 85 | Section: admin 86 | Priority: optional 87 | Installed-Size: $(du -ks deb | cut -f1) 88 | Description: DRAKVUF bundle 89 | EOF 90 | 91 | mkdir -p deb/usr/bin/ 92 | cp -avr /build/usr/bin/* deb/usr/bin/ 93 | 94 | mkdir -p deb/usr/lib/ 95 | cp -avr /build/usr/lib/* deb/usr/lib/ 96 | 97 | mkdir -p deb/usr/include/ 98 | cp -avr /build/usr/include/* deb/usr/include/ 99 | 100 | mkdir -p deb/usr/share/doc/dwarf2json 101 | cp -avr /build/dwarf2json/LICENSE.txt deb/usr/share/doc/dwarf2json 102 | cp -avr /build/dwarf2json/dwarf2json deb/usr/bin/ 103 | 104 | mkdir -p deb/opt/volatility3 105 | cp -avr /build/volatility3/* deb/opt/volatility3 106 | 107 | mkdir -p deb/usr/share/doc/libvmi 108 | cp -avr /build/libvmi/COPYING deb/usr/share/doc/libvmi 109 | 110 | mkdir -p deb/usr/share/doc/drakvuf 111 | cp -avr /build/COPYING deb/usr/share/doc/drakvuf 112 | 113 | # Package it up 114 | chown -R root:root deb 115 | dpkg-deb --build -z0 deb "drakvuf-bundle-$version-$distro.deb" 116 | mv *.deb /out 117 | rm -rf deb 118 | -------------------------------------------------------------------------------- /package/postinst: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | case "$1" in 6 | configure) 7 | if command -v update-grub > /dev/null && [ -d /boot/grub ]; then 8 | update-grub || : 9 | fi 10 | ;; 11 | 12 | abort-upgrade|abort-remove|abort-deconfigure) 13 | ;; 14 | 15 | *) 16 | echo "postinst called with unknown argument \`$1'" >&2 17 | exit 1 18 | ;; 19 | esac 20 | 21 | systemctl enable xen-qemu-dom0-disk-backend.service 22 | systemctl enable xen-init-dom0.service 23 | systemctl enable xenconsoled.service 24 | 25 | EXIT_CODE=0 26 | grep -q 'xenfs' '/etc/fstab' || EXIT_CODE=$? 27 | 28 | if [[ $EXIT_CODE -ne 0 ]] 29 | then 30 | echo "add xenfs to /etc/fstab" >&2 31 | echo "none /proc/xen xenfs defaults,nofail 0 0" >> /etc/fstab 32 | else 33 | echo "xenfs is already added to /etc/fstab" >&2 34 | fi 35 | 36 | EXIT_CODE=0 37 | command -v xen-detect 2>&1 >/dev/null || EXIT_CODE=$? 38 | RUNNING_XEN=0 39 | 40 | if [[ $EXIT_CODE -eq 0 ]] 41 | then 42 | xen-detect -N || RUNNING_XEN=$? 43 | fi 44 | 45 | EPT_SUPPORTED=0 46 | 47 | if [[ $RUNNING_XEN -eq 0 ]] 48 | then 49 | echo "Detected system is not running on Xen, checking EPT support in /proc/cpuinfo..." >&2 50 | ! egrep -q -wo 'ept' /proc/cpuinfo || EPT_SUPPORTED=$? 51 | else 52 | echo "Detected system is running on Xen, checking EPT support in xl dmesg..." >&2 53 | ! xl dmesg | grep -q -- '- Extended Page Tables' || EPT_SUPPORTED=$? 54 | fi 55 | 56 | if [[ $EPT_SUPPORTED -eq 0 ]] 57 | then 58 | echo "------------------------------------------------------------------------" >&2 59 | echo "" >&2 60 | echo "Your processor doesn't seem to support Extended Page Tables (Intel EPT) " >&2 61 | echo "DRAKVUF may not work properly on your machine." >&2 62 | echo "" >&2 63 | echo "------------------------------------------------------------------------" >&2 64 | else 65 | echo "Intel EPT is supported by your CPU" >&2 66 | fi 67 | 68 | exit 0 69 | -------------------------------------------------------------------------------- /package/postrm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | case "$1" in 6 | remove|purge) 7 | if command -v update-grub > /dev/null && [ -d /boot/grub ]; then 8 | update-grub || : 9 | fi 10 | ;; 11 | 12 | disappear|upgrade|failed-upgrade|abort-install|abort-install|abort-upgrade) 13 | ;; 14 | 15 | *) 16 | echo "postrm called with unknown argument \`$1'" >&2 17 | exit 1 18 | ;; 19 | esac 20 | 21 | sed -i.bak "\@^none /proc/xen xenfs defaults,nofail 0 0@d" /etc/fstab 22 | 23 | systemctl disable xen-qemu-dom0-disk-backend.service 24 | systemctl disable xen-init-dom0.service 25 | systemctl disable xenconsoled.service 26 | 27 | exit 0 28 | -------------------------------------------------------------------------------- /scripts/complexity.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | meson setup _complexity --native-file llvm.ini 3 | cd _complexity 4 | run-clang-tidy -quiet \ 5 | -config="{Checks: 'readability-function-cognitive-complexity', CheckOptions: [{key: readability-function-cognitive-complexity.Threshold, value: 25}, {key: readability-function-cognitive-complexity.DescribeBasicIncrements, value: False}]}" \ 6 | 2>/dev/null | \ 7 | grep warning | grep "cognitive complexity" > complexity.log || : 8 | 9 | complexity=0 10 | complex_functions=0 11 | while read -r log; do 12 | file=$(echo $log | awk -F":" '{ print $1 }') 13 | line=$(echo $log | awk -F":" '{ print $2 }') 14 | function=$(echo $log | awk -F"function" '{ print $2 }' | awk '{ print $1 }' | sed "s/'//g") 15 | score=$(echo $log | awk -F"cognitive complexity of" '{ print $2 }' | awk '{ print $1 }') 16 | 17 | echo "Complex function found: $file:$line $function(), complexity score: $score" 18 | 19 | complexity=$(( complexity + score )) 20 | (( complex_functions++ )) || : 21 | done < complexity.log 22 | mv complexity.log .. 23 | cd .. 24 | rm -rf _complexity 25 | 26 | echo "Found $complex_functions complex functions" 27 | echo "Final complexity sum of complex functions: $complexity" 28 | 29 | echo "Functions: $complex_functions" >> complexity.log 30 | echo "Sum: $complexity" >> complexity.log 31 | -------------------------------------------------------------------------------- /scripts/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | trap error EXIT 4 | 5 | error() { 6 | apt-get --yes remove xen* || : 7 | apt-get --yes remove libxen* || : 8 | apt-get --yes remove drakvuf* || : 9 | 10 | echo "An error was encountered while trying to install DRAKVUF" 11 | exit 1 12 | } 13 | 14 | get_debian() { 15 | VERSION=$1 16 | 17 | case $VERSION in 18 | buster) 19 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/debian_10-slim_drakvuf-bundle-1.0-git20221220221439+068b10f-1-generic.deb 20 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/debian_10-slim_xen-hypervisor-4.17.0-generic-amd64.deb 21 | ;; 22 | bullseye) 23 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/debian_11-slim_drakvuf-bundle-1.0-git20221220221439+068b10f-1-generic.deb 24 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/debian_11-slim_xen-hypervisor-4.17.0-generic-amd64.deb 25 | ;; 26 | *) 27 | echo "Unsupported Debian version: $VERSION" 28 | exit 1 29 | ;; 30 | esac 31 | } 32 | 33 | get_ubuntu() { 34 | VERSION=$1 35 | 36 | case $VERSION in 37 | focal) 38 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/ubuntu_focal_drakvuf-bundle-1.0-git20221220221439+068b10f-1-generic.deb 39 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/ubuntu_focal_xen-hypervisor-4.17.0-generic-amd64.deb 40 | ;; 41 | jammy) 42 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/ubuntu_jammy_drakvuf-bundle-1.0-git20221220221439+068b10f-1-generic.deb 43 | wget -q https://github.com/tklengyel/drakvuf/releases/download/1.0/ubuntu_jammy_xen-hypervisor-4.17.0-generic-amd64.deb 44 | ;; 45 | *) 46 | echo "Unsupported Ubuntu version: $VERSION" 47 | exit 1 48 | ;; 49 | esac 50 | } 51 | 52 | get_packages() { 53 | TARGET=$1 54 | PACKAGE_DIR=$2 55 | DISTRO=$(cat /etc/os-release | grep ID) 56 | VERSION=$(cat /etc/os-release | grep VERSION_CODENAME) 57 | 58 | DIR=$PWD 59 | mkdir -p $PACKAGE_DIR 60 | cd packages 61 | 62 | if [ $TARGET == "LATEST" ]; then 63 | debs=$(curl -s https://api.github.com/repos/tklengyel/drakvuf-builds/releases/latest | grep "browser_download_url.*deb" | awk '{ print $2 }' | tr -d '"') 64 | for deb in $debs; do 65 | if [ $(echo $deb | grep $DISTRO | grep $VERSION | wc -l) -ne 0 ]; then 66 | wget -q $deb 67 | fi 68 | done 69 | 70 | if [ $(ls -la *.deb 2>/dev/null | wc -l ) -eq 0 ]; then 71 | echo "$DISTRO $VERSION is not supported by this script" 72 | exit 1 73 | fi 74 | fi 75 | 76 | if [ $TARGET == "STABLE" ]; then 77 | case $DISTRO in 78 | ubuntu) 79 | get_ubuntu $VERSION 80 | ;; 81 | debian) 82 | get_debian $VERSION 83 | ;; 84 | *) 85 | echo "Unsupported distribution: $DISTRO" 86 | exit 1 87 | esac 88 | fi 89 | 90 | cd $DIR 91 | } 92 | 93 | ################# 94 | VERSION=${1:-"STABLE"} 95 | PACKAGE_DIR=packages 96 | 97 | if [ $1 == "--help" ] || [ $1 == "-h" ]; then 98 | echo "./scripts/install.sh {STABLE|LATEST|}" 99 | exit 0 100 | fi 101 | 102 | # Grab latest debs 103 | if [ ! -d $VERSION ]; then 104 | get_packages $VERSION $PACKAGE_DIR 105 | else 106 | PACKAGE_DIR=$VERSION 107 | fi 108 | 109 | # Install 110 | apt-get update 111 | apt-get --yes remove xen* libxen* 112 | apt-get -f --yes install 113 | 114 | for deb in $(ls $PACKAGE_DIR/*.deb); do 115 | for p in $(dpkg -I $deb | grep Depends | awk -F':' '{ print $2 }' | tr -d ',' | tr -d '|'); do 116 | apt-get --quiet --yes install $p || : 117 | done 118 | done 119 | 120 | dpkg -i $PACKAGE_DIR/*xen*.deb 121 | dpkg -i $PACKAGE_DIR/*drakvuf-bundle*.deb 122 | 123 | apt-get -f --yes install 124 | apt-get --quiet --yes install python3-pip python3-venv 125 | 126 | python3 -m venv /opt/volatility3 127 | source /opt/volatility3/bin/activate 128 | pip3 install wheel construct pefile setuptools 129 | cd /opt/volatility3 130 | python3 setup.py build 131 | python3 -m pip install . 132 | 133 | echo "DRAKVUF was successfully installed" 134 | echo "You should reboot your system now and pick Xen in your GRUB menu" 135 | trap - EXIT 136 | exit 0 137 | -------------------------------------------------------------------------------- /scripts/version.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | version=$(head -n2 meson.build | tail -1 | awk '{ print $3 }' | awk -F"'" '{ print $2 }') 3 | 4 | if [ $# = 1 ] 5 | then 6 | gda=$(git describe --always) 7 | version="$version-$gda" 8 | fi 9 | 10 | echo $version 11 | -------------------------------------------------------------------------------- /scripts/wrap-compiler-for-flag-check: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # There is no way to make clang's "argument unused" warning fatal. So when 4 | # configure checks for supported flags, it runs $CC, $CXX, $LD via this 5 | # wrapper. 6 | # 7 | # Ideally the search string would also include 'clang: ' but this output might 8 | # depend on clang's argv[0]. 9 | 10 | if out=`"$@" 2>&1`; then 11 | echo "$out" 12 | if echo "$out" | grep 'warning: argument unused' >/dev/null; then 13 | echo "$0: found clang warning" 14 | exit 1 15 | else 16 | exit 0 17 | fi 18 | else 19 | code=$? 20 | echo "$out" 21 | exit $code 22 | fi 23 | -------------------------------------------------------------------------------- /src/helpers/hiddump/readme.org: -------------------------------------------------------------------------------- 1 | * hiddump 2 | A utility to record HID events. 3 | 4 | ** Overview 5 | ~hiddump~ is a utility program to capture HID events on a Linux system and store relative and normalized versions of those events in a binary file, which can then serve later as a template for sending those recorded HID events to an analysis guest by utilizing the plugin ~hidsim~ and the CLI argument ~--hid-template /path/to/events.bin~. 6 | 7 | ** Dependencies 8 | ~hiddump~ is written in plain C and depends only on GlibC and X11. GlibC is required for general system interaction and the X window system is needed to read the screen dimensions. A task, which is actually needed to perform the mapping of mouse coordinates into a normalized value range. To ensure the availability of the the [[https://packages.debian.org/search?keywords=libx11-dev][X11-library]], run ~sudo apt install libx11-dev~ on a Debian-based box. 9 | ** Compilation 10 | The compilation of this tool is performed by Drakvuf's-automake system. The only requirement for this is, that the a/m X11-library is available on the system running =configure= and =make=. So if you build Drakvuf on a machine with an X server, just run the usual compilation steps from within Drakvuf's root directory: 11 | 12 | #+begin_src shell 13 | ./autogen.sh 14 | ./configure --enable-debug 15 | make -j6 16 | #+end_src 17 | 18 | If you want or need to compile the tool separately, this can be accomplished with the following command: 19 | 20 | ~gcc -o hiddump hiddump.c -lX11~. 21 | 22 | ** Usage 23 | To run the tool, make sure to acquire root-privileges beforehand, which are needed to access the event-files, serving the events of the HID-devices. If you run it without any parameters, ~hiddump~ will try to find the current mouse-event file. (Note: this has been tested under Ubuntu 18.04 and 20.04) Then these mouse events will be captured for an inifinite amount of time until the user stops recording by typing =Ctrl+C=. Captured events will be outputted to stdout, while verbose debug information is sent to stderr. So the most basic usage of the tool is illustrated by the following command: 24 | 25 | #+begin_src shell 26 | sudo ./src/helpers/hiddump > events.bin 27 | #+end_src 28 | 29 | The resulting binary event data can be either redirected from stdout like in the example above or can be alternatively written directly to a file specified by a positional argument. If you want to capture events only for a certain amount of time, use the short option ~-d~ to specify the capture interval in seconds. To record events of one or multiple specific HID-devices, use ~-e /dev/input/eventXX~. Right now five event-files can be monitored at the same time at maximum. 30 | 31 | A comprehensive example of ~hiddump~'s usage could be the following one, which reads events for 30 seconds from two devices and saves those events in ~/tmp/events.bin~. 32 | 33 | #+begin_src shell 34 | sudo ./hiddump -e /dev/input/event16 -e /dev/input/8 -d 30 /tmp/events.bin 35 | #+end_src 36 | 37 | ~hiddump~ serves the following, self-explaining help page: 38 | 39 | #+begin_example 40 | usage: ./hiddump [-h] [-e /dev/input/eventX] [file] 41 | 42 | A utility to record HID events 43 | 44 | positional arguments: 45 | file binary file to store events 46 | 47 | optional arguments: 48 | -h show this help message and exit 49 | -e event file to read events from; 50 | multiple event files can be specifed -e file1 -e file2 (max. 3) 51 | -d time frame in seconds to record events 52 | 53 | examples: 54 | # capture mouse events infinitely 55 | ./hiddump > events.in 56 | 57 | # read from specified event files for 20 secs 58 | ./hiddump -e /dev/input/event7 -e /dev/input/event16 -d 20 events.bin 59 | 60 | 61 | #+end_example 62 | 63 | In order to identify relevant event files and retrieve their path, use the following commands: 64 | 65 | #+begin_src shell 66 | ls -l /dev/input/by-id | grep -E 'mouse|kbd' 67 | #+end_src 68 | 69 | or alternatively 70 | 71 | #+begin_src shell 72 | cat /proc/bus/input/devices | grep -E 'mouse|kdb' 73 | #+end_src 74 | 75 | ** Inner workings of the tool 76 | ~hiddump~ utilizes the [[https://www.kernel.org/doc/html/latest/input/input_uapi.html][input subsystem]] of the Linux kernel to record HID events. When executed, ~hiddump~ reads ~input_event~-structs from one or multiple event files under ~/dev/input/~, which are continuosly polled during the recording period. The timing information, which is provided in the form of ~timeval~-structs, is converted to a relative timestamp starting at the beginning of the recording. If the event houses coordinates, then those are mapped to a value range, which qemu uses in its monitor protocol. After retrieval and normalization of the events, they are be dumped to ~stdout~ or written to a specified file in a binary representation, which is presented below. By using the input event format of the Linux input subsystem the tool builds upon a proven format and a stable interface. 77 | 78 | ** File format 79 | To preserve the relative and normalized HID events for later use, the ~input_event~-structs are stored sequentially in a binary file, whereas each entry consists of the following fields: 80 | 81 | #+begin_src C 82 | struct input_event { 83 | struct timeval time; // relative to the start 84 | unsigned short type; // EV_REL, EV_KEY, etc. 85 | unsigned short code; // REL_X, BTN_LEFT, etc. 86 | unsigned int value; // Coordinates, button down, etc. 87 | }; 88 | #+end_src 89 | 90 | In order to be able to identify a file as a valid HID template file, which was created by ~hiddump~ and which contains HID data in the specified format, a short header is prepended at the beginning of the 91 | file. The header consists of 12 bytes in total. Its magic number =0xc4d2c1cb= is derived from the string 'DRAK'. 92 | 93 | #+begin_example 94 | | Symbol | Size | Content | 95 | |---------------------------+-------+---------------------| 96 | | Magic number | DWORD | 0xCB 0xC1 0xD2 0xC4 | 97 | | ASCII identifier ('DRAK') | DWORD | 0x44 0x52 0x41 0x4b | 98 | | Version information | DWORD | 0x01 0x00 0x00 0x00 | 99 | #+end_example 100 | 101 | Output in this form can be used for the simulation of human-like interaction with the help of the plugin ~hidsim~. 102 | -------------------------------------------------------------------------------- /src/libdrakvuf/helper.c: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #include 106 | #include "private.h" 107 | 108 | void free_remapped_gfn(gpointer p) 109 | { 110 | g_slice_free(struct remapped_gfn, p); 111 | } 112 | 113 | void free_wrapper(gpointer p) 114 | { 115 | g_slice_free(struct wrapper, p); 116 | } 117 | -------------------------------------------------------------------------------- /src/libdrakvuf/json-util.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef JSON_UTIL_H 106 | #define JSON_UTIL_H 107 | 108 | #include 109 | 110 | #ifdef __cplusplus 111 | extern "C" { 112 | #endif 113 | struct json_object* json_object_new_string_fmt(const char* format, ...) __attribute__ ((format (printf, 1, 2))); 114 | #ifdef __cplusplus 115 | } 116 | #endif 117 | 118 | #endif 119 | -------------------------------------------------------------------------------- /src/libdrakvuf/meson.build: -------------------------------------------------------------------------------- 1 | incdir = include_directories('../..') 2 | 3 | libdrakvuf = static_library('drakvuf', 4 | 'drakvuf.c', 5 | 'vmi.c', 6 | 'helper.c', 7 | 'json-profile.c', 8 | 'json-util.c', 9 | 'linux-exports.c', 10 | 'linux-processes.c', 11 | 'linux.c', 12 | 'os.c', 13 | 'win-exports.c', 14 | 'win-files.c', 15 | 'win-handles.c', 16 | 'win-processes.c', 17 | 'win-registry.c', 18 | 'win.c', 19 | 20 | include_directories : incdir, 21 | dependencies : [glib, libvmi, jsonc], 22 | link_with : xen_helper, 23 | link_args : hardened_link_args 24 | ) 25 | -------------------------------------------------------------------------------- /src/libhook/meson.build: -------------------------------------------------------------------------------- 1 | libhook_h = include_directories( 2 | '..', '../..', 3 | ) 4 | libhook = static_library('hook', 5 | 'hooks/base.cpp', 6 | 'hooks/manual.cpp', 7 | 'hooks/syscall.cpp', 8 | 'hooks/return.cpp', 9 | 'hooks/cr3.cpp', 10 | 'hooks/cpuid.cpp', 11 | 'hooks/catchall.cpp', 12 | 'hooks/memaccess.cpp', 13 | 14 | dependencies : deps, 15 | include_directories : libhook_h, 16 | link_with : libdrakvuf 17 | ) 18 | -------------------------------------------------------------------------------- /src/libinjector/linux/linux_private.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | 106 | #ifndef LINUX_PRIVATE_H 107 | #define LINUX_PRIVATE_H 108 | 109 | // syscall limit for error codes 110 | #define MAX_ERRNO 4096UL 111 | #define FILE_BUF_SIZE 65536UL 112 | 113 | #endif 114 | -------------------------------------------------------------------------------- /src/libinjector/meson.build: -------------------------------------------------------------------------------- 1 | libinjector_h = include_directories( 2 | '..', '../..', 3 | 'linux', 'linux/methods', 4 | 'win', 'win/methods' 5 | ) 6 | libinjector = static_library('injector', 7 | 'injector.c', 8 | 'debug_helpers.c', 9 | 'injector_stack.c', 10 | 'injector_utils.c', 11 | 'win/method_helpers.c', 12 | 'win/win_functions.c', 13 | 'win/win_injector.c', 14 | 'win/win_utils.c', 15 | 'win/methods/win_createproc.c', 16 | 'win/methods/win_exitthread.c', 17 | 'win/methods/win_read_file.c', 18 | 'win/methods/win_shellcode.c', 19 | 'win/methods/win_shellexec.c', 20 | 'win/methods/win_terminate.c', 21 | 'win/methods/win_write_file.c', 22 | 'linux/linux_injector.c', 23 | 'linux/linux_syscalls.c', 24 | 'linux/linux_utils.c', 25 | 'linux/methods/linux_execve.c', 26 | 'linux/methods/linux_read_file.c', 27 | 'linux/methods/linux_shellcode.c', 28 | 'linux/methods/linux_write_file.c', 29 | 30 | dependencies : deps, 31 | include_directories : libinjector_h, 32 | link_with : libdrakvuf 33 | ) 34 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_createproc.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef WIN_METHOD_CREATEPROC 106 | #define WIN_METHOD_CREATEPROC 107 | 108 | #include "win_utils.h" 109 | 110 | event_response_t handle_createproc(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 111 | #endif 112 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_exitthread.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef WIN_METHOD_EXITTHREAD 106 | #define WIN_METHOD_EXITTHREAD 107 | 108 | #include "win_utils.h" 109 | 110 | event_response_t handle_win_exitthread(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 111 | #endif 112 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_read_file.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef WIN_METHOD_READFILE 106 | #define WIN_METHOD_READFILE 107 | 108 | #include "win_utils.h" 109 | 110 | event_response_t handle_readfile_x64(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 111 | #endif 112 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_shellcode.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef WIN_METHOD_SHELLCODE 106 | #define WIN_METHOD_SHELLCODE 107 | 108 | #include "win_utils.h" 109 | 110 | event_response_t handle_win_shellcode(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 111 | #endif 112 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_shellexec.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef WIN_METHOD_SHELLEXEC 106 | #define WIN_METHOD_SHELLEXEC 107 | 108 | #include "win_utils.h" 109 | 110 | event_response_t handle_shellexec(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 111 | #endif 112 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_terminate.c: -------------------------------------------------------------------------------- 1 | #include "win_terminate.h" 2 | 3 | #include 4 | #include 5 | 6 | static event_response_t cleanup(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 7 | 8 | static bool setup_open_process_stack(injector_t injector, x86_registers_t* regs) 9 | { 10 | struct argument args[3] = { {0} }; 11 | 12 | enum 13 | { 14 | PROCESS_TERMINATE = 0x1, 15 | PROCESS_CREATE_THREAD = 0x2, 16 | PROCESS_VM_OPERATION = 0x8, 17 | PROCESS_VM_WRITE = 0x10, 18 | PROCESS_VM_READ = 0x20, 19 | PROCESS_QUERY_INFORMATION = 0x400, 20 | }; 21 | 22 | // OpenProcess(PROCESS_TERMINATE, false, PID) 23 | init_int_argument(&args[0], PROCESS_TERMINATE | PROCESS_CREATE_THREAD | 24 | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | 25 | PROCESS_QUERY_INFORMATION); 26 | 27 | init_int_argument(&args[1], 0); 28 | init_int_argument(&args[2], injector->terminate_pid); 29 | 30 | if (!setup_stack(injector->drakvuf, regs, args, ARRAY_SIZE(args))) 31 | { 32 | fprintf(stderr, "Failed to setup open process stack!\n"); 33 | return false; 34 | } 35 | return true; 36 | } 37 | 38 | static bool setup_create_remote_thread_stack(injector_t injector, x86_registers_t* regs) 39 | { 40 | struct argument args[7] = { {0} }; 41 | 42 | // CreateRemoteThread(handle, NULL, NULL, ExitProcess, 0, NULL, NULL) 43 | init_int_argument(&args[0], regs->rax); 44 | init_int_argument(&args[1], 0); 45 | init_int_argument(&args[2], 0); 46 | init_int_argument(&args[3], injector->exit_process); 47 | init_int_argument(&args[4], 0); 48 | init_int_argument(&args[5], 0); 49 | init_int_argument(&args[6], 0); 50 | 51 | if (!setup_stack(injector->drakvuf, regs, args, ARRAY_SIZE(args))) 52 | { 53 | fprintf(stderr, "Failed to setup stack for passing inputs!\n"); 54 | return false; 55 | } 56 | return true; 57 | 58 | } 59 | 60 | event_response_t handle_win_terminate(drakvuf_t drakvuf, drakvuf_trap_info_t* info) 61 | { 62 | injector_t injector = info->trap->data; 63 | base_injector_t base_injector = &injector->base_injector; 64 | 65 | switch (base_injector->step) 66 | { 67 | case STEP1: 68 | { 69 | // save registers 70 | PRINT_DEBUG("Saving registers\n"); 71 | memcpy(&injector->x86_saved_regs, info->regs, sizeof(x86_registers_t)); 72 | 73 | /* We just hit the RIP from the trapframe */ 74 | PRINT_DEBUG("Open process %d to terminate it.\n", injector->terminate_pid); 75 | 76 | if (!setup_open_process_stack(injector, info->regs)) 77 | return cleanup(drakvuf, info); 78 | 79 | info->regs->rip = injector->open_process; 80 | return VMI_EVENT_RESPONSE_SET_REGISTERS; 81 | } 82 | case STEP2: 83 | { 84 | if (is_fun_error(drakvuf, info, "Could not open process handle")) 85 | return cleanup(drakvuf, info); 86 | 87 | PRINT_DEBUG("Process %d opened with handle %#lx. Terminate it!\n", injector->terminate_pid, info->regs->rax); 88 | 89 | if (!setup_create_remote_thread_stack(injector, info->regs)) 90 | return cleanup(drakvuf, info); 91 | 92 | info->regs->rip = injector->exec_func; 93 | return VMI_EVENT_RESPONSE_SET_REGISTERS; 94 | } 95 | case STEP3: 96 | { 97 | if (is_fun_error(drakvuf, info, "Could not terminate process")) 98 | return cleanup(drakvuf, info); 99 | 100 | PRINT_DEBUG("Process %d terminated successfully!\n", injector->terminate_pid); 101 | 102 | drakvuf_remove_trap(drakvuf, info->trap, NULL); 103 | drakvuf_interrupt(drakvuf, SIGINT); 104 | 105 | memcpy(info->regs, &injector->x86_saved_regs, sizeof(x86_registers_t)); 106 | return VMI_EVENT_RESPONSE_SET_REGISTERS; 107 | } 108 | default: 109 | { 110 | PRINT_DEBUG("Should not be here\n"); 111 | assert(false); 112 | } 113 | } 114 | return VMI_EVENT_RESPONSE_NONE; 115 | } 116 | 117 | static event_response_t cleanup(drakvuf_t drakvuf, drakvuf_trap_info_t* info) 118 | { 119 | injector_t injector = info->trap->data; 120 | 121 | PRINT_DEBUG("Exiting prematurely\n"); 122 | 123 | if (injector->rc == INJECTOR_SUCCEEDED) 124 | injector->rc = INJECTOR_FAILED; 125 | 126 | drakvuf_remove_trap(drakvuf, info->trap, NULL); 127 | drakvuf_interrupt(drakvuf, SIGDRAKVUFERROR); 128 | 129 | memcpy(info->regs, &injector->x86_saved_regs, sizeof(x86_registers_t)); 130 | return VMI_EVENT_RESPONSE_SET_REGISTERS; 131 | } 132 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_terminate.h: -------------------------------------------------------------------------------- 1 | #ifndef WIN_METHOD_TERMINATE 2 | #define WIN_METHOD_TERMINATE 3 | 4 | #include "win_utils.h" 5 | 6 | event_response_t handle_win_terminate(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 7 | #endif 8 | -------------------------------------------------------------------------------- /src/libinjector/win/methods/win_write_file.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef WIN_METHOD_WRITEFILE 106 | #define WIN_METHOD_WRITEFILE 107 | 108 | #include "win_utils.h" 109 | 110 | event_response_t handle_writefile(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 111 | #endif 112 | -------------------------------------------------------------------------------- /src/librepl/gen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ctypesgen=$1 4 | libdrakvufh=$2 5 | libdrakvufpy=$3 6 | 7 | $ctypesgen $libdrakvufh -l repl `pkg-config --cflags-only-I --libs-only-L glib-2.0 libvmi` -o $libdrakvufpy 2> /dev/null 8 | -------------------------------------------------------------------------------- /src/librepl/meson.build: -------------------------------------------------------------------------------- 1 | if get_option('repl') 2 | 3 | python3 = dependency('python3') 4 | python3embed = dependency('python3-embed') 5 | 6 | repl_h = include_directories( 7 | '..', '../..', 8 | ) 9 | 10 | librepl = shared_library('repl', 11 | 'repl.cpp', 12 | 13 | include_directories : repl_h, 14 | dependencies : [glib, libvmi, python3, python3embed], 15 | link_with : libdrakvuf 16 | ) 17 | 18 | ctypesgen = find_program('ctypesgen') 19 | gensh = find_program('gen.sh') 20 | 21 | libdrakvufpy = custom_target('libdrakvuf.py', 22 | input : '../libdrakvuf/libdrakvuf.h', 23 | output : 'libdrakvuf.py', 24 | command : [gensh, ctypesgen, '@INPUT@', '@OUTPUT@'], 25 | build_by_default : true 26 | ) 27 | 28 | endif 29 | -------------------------------------------------------------------------------- /src/libusermode/meson.build: -------------------------------------------------------------------------------- 1 | libusermode_h = include_directories( 2 | '..', '../..' 3 | ) 4 | libusermode = static_library('usermode', 5 | 'userhook.cpp', 6 | 'userhook_pf.cpp', 7 | 'userhook_inject.cpp', 8 | 'running.cpp', 9 | 'utils.cpp', 10 | 'printers/printers.cpp', 11 | 'printers/utils.cpp', 12 | 13 | dependencies : deps, 14 | include_directories : libusermode_h, 15 | link_with : libdrakvuf 16 | ) 17 | 18 | if check.found() 19 | userhook_check = executable('userhook_check', 20 | sources : 'check.cpp', 21 | include_directories : libusermode_h, 22 | dependencies : [deps, check], 23 | link_with : [libdrakvuf, libusermode], 24 | install : false 25 | ) 26 | test('userhook_check', userhook_check) 27 | 28 | if meson.version().version_compare('>=1.1.0') 29 | utils_o = libusermode.extract_objects('printers/utils.cpp') 30 | utils_dep = declare_dependency(objects: utils_o) 31 | libusermode_printers_check = executable('libusermode_printers_check', 32 | sources : 'printers/check.cpp', 33 | include_directories : libusermode_h, 34 | dependencies : [deps, utils_dep, check], 35 | link_with : libdrakvuf, 36 | install : false 37 | ) 38 | test('libusermode_printers_check', libusermode_printers_check) 39 | endif 40 | endif 41 | -------------------------------------------------------------------------------- /src/libusermode/printers/utils.hpp: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef LIBUSERMODE_PRINTERS_UTILS_H 106 | #define LIBUSERMODE_PRINTERS_UTILS_H 107 | 108 | 109 | #include 110 | 111 | std::string escape_str(const std::string& s); 112 | 113 | #endif -------------------------------------------------------------------------------- /src/plugins/bsodmon/bugcheck.h: -------------------------------------------------------------------------------- 1 | #ifndef BUGCHECK_H 2 | #define BUGCHECK_H 3 | 4 | 5 | #include 6 | 7 | #include "bsodmon.h" 8 | 9 | void init_bugcheck_map( bsodmon* monitor, drakvuf_t drakvuf ); 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /src/plugins/bsodmon/private.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef BSODMON_PRIVATE_H 106 | #define BSODMON_PRIVATE_H 107 | 108 | void init_bugcheck_win7( bsodmon* monitor ); 109 | void init_bugcheck_map( bsodmon* monitor, drakvuf_t drakvuf ); 110 | 111 | #endif 112 | -------------------------------------------------------------------------------- /src/plugins/callbackmon/README.md: -------------------------------------------------------------------------------- 1 | # Abstract 2 | 3 | The _callbackmon_ plug-in detects overwritten/deleted/added callbacks in various kernel structures. 4 | 5 | ## Description 6 | 7 | The plug-in collects already installed callbacks at the beginning of the analysis and compares them with the snapshot, created at the end of analysis. 8 | 9 | List of structures that callbackmon currently monitors: 10 | 11 | * `PspCreateProcessNotifyRoutine` 12 | * `PspCreateThreadNotifyRoutine` 13 | * `PspLoadImageNotifyRoutine` 14 | * `KeBugCheckCallbackListHead` 15 | * `KeBugCheckReasonCallbackListHead` 16 | * `CallbackListHead` 17 | * `SeFileSystemNotifyRoutinesHead` 18 | * `PopRegisteredPowerSettingCallbacks` 19 | * `IopNotifyShutdownQueueHead` 20 | * `IopNotifyLastChanceShutdownQueueHead` 21 | * `RtlpDebugPrintCallbackList` 22 | * `IopFsNotifyChangeQueueHead` 23 | * `IopDriverReinitializeQueueHead` 24 | * `IopBootDriverReinitializeQueueHead` 25 | * `KiNmiCallbackListHead` 26 | * `IopUpdatePriorityCallbackRoutine` 27 | * `PnpProfileNotifyList` 28 | * `PnpDeviceClassNotifyList` 29 | * `EmpCallbackListHead` 30 | * `PsWin32CallBack` 31 | * `netio.sys gWfpGlobal callbacks` -------------------------------------------------------------------------------- /src/plugins/cpuidmon/private.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef CPUIDMON_PRIVATE_H 106 | #define CPUIDMON_PRIVATE_H 107 | 108 | event_response_t cpuid_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 109 | 110 | #endif 111 | -------------------------------------------------------------------------------- /src/plugins/debugmon/private.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef DEBUGMON_PRIVATE_H 106 | #define DEBUGMON_PRIVATE_H 107 | 108 | event_response_t debug_cb(drakvuf_t drakvuf, drakvuf_trap_info_t* info); 109 | 110 | #endif 111 | -------------------------------------------------------------------------------- /src/plugins/etwmon/README.md: -------------------------------------------------------------------------------- 1 | # Abstract 2 | 3 | The _etwmon_ plug-in detects various etw-related modifications in windows kernel. 4 | 5 | ## Description 6 | 7 | List of things etwmon monitors: 8 | 9 | * Global ETW handles: `EtwpPsProvRegHandle`, `EtwpRegTraceHandle`, etc 10 | * Global ETW Callback pointers: `EtwpDiskIoNotifyRoutines`, `EtwpFileIoNotifyRoutines`, etc 11 | * ETW Loggers: `GetCPUClock` aka `infinity hook` technique, `CallbackContext` 12 | * ETW Providers: `ProviderEnableInfo`, etc 13 | 14 | Checks are made at the end of analysis and don't affect vm performance. 15 | -------------------------------------------------------------------------------- /src/plugins/hidsim/res/btn_demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tklengyel/drakvuf/9833fa5ffd821b11aa78ef8a7a455da623580b55/src/plugins/hidsim/res/btn_demo.gif -------------------------------------------------------------------------------- /src/plugins/hidsim/res/template_demo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tklengyel/drakvuf/9833fa5ffd821b11aa78ef8a7a455da623580b55/src/plugins/hidsim/res/template_demo.gif -------------------------------------------------------------------------------- /src/plugins/output_format.h: -------------------------------------------------------------------------------- 1 | /*********************IMPORTANT DRAKVUF LICENSE TERMS*********************** 2 | * * 3 | * DRAKVUF (C) 2014-2024 Tamas K Lengyel. * 4 | * Tamas K Lengyel is hereinafter referred to as the author. * 5 | * This program is free software; you may redistribute and/or modify it * 6 | * under the terms of the GNU General Public License as published by the * 7 | * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 8 | * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 9 | * right to use, modify, and redistribute this software under certain * 10 | * conditions. If you wish to embed DRAKVUF technology into proprietary * 11 | * software, alternative licenses can be acquired from the author. * 12 | * * 13 | * Note that the GPL places important restrictions on "derivative works", * 14 | * yet it does not provide a detailed definition of that term. To avoid * 15 | * misunderstandings, we interpret that term as broadly as copyright law * 16 | * allows. For example, we consider an application to constitute a * 17 | * derivative work for the purpose of this license if it does any of the * 18 | * following with any software or content covered by this license * 19 | * ("Covered Software"): * 20 | * * 21 | * o Integrates source code from Covered Software. * 22 | * * 23 | * o Reads or includes copyrighted data files. * 24 | * * 25 | * o Is designed specifically to execute Covered Software and parse the * 26 | * results (as opposed to typical shell or execution-menu apps, which will * 27 | * execute anything you tell them to). * 28 | * * 29 | * o Includes Covered Software in a proprietary executable installer. The * 30 | * installers produced by InstallShield are an example of this. Including * 31 | * DRAKVUF with other software in compressed or archival form does not * 32 | * trigger this provision, provided appropriate open source decompression * 33 | * or de-archiving software is widely available for no charge. For the * 34 | * purposes of this license, an installer is considered to include Covered * 35 | * Software even if it actually retrieves a copy of Covered Software from * 36 | * another source during runtime (such as by downloading it from the * 37 | * Internet). * 38 | * * 39 | * o Links (statically or dynamically) to a library which does any of the * 40 | * above. * 41 | * * 42 | * o Executes a helper program, module, or script to do any of the above. * 43 | * * 44 | * This list is not exclusive, but is meant to clarify our interpretation * 45 | * of derived works with some common examples. Other people may interpret * 46 | * the plain GPL differently, so we consider this a special exception to * 47 | * the GPL that we apply to Covered Software. Works which meet any of * 48 | * these conditions must conform to all of the terms of this license, * 49 | * particularly including the GPL Section 3 requirements of providing * 50 | * source code and allowing free redistribution of the work as a whole. * 51 | * * 52 | * Any redistribution of Covered Software, including any derived works, * 53 | * must obey and carry forward all of the terms of this license, including * 54 | * obeying all GPL rules and restrictions. For example, source code of * 55 | * the whole work must be provided and free redistribution must be * 56 | * allowed. All GPL references to "this License", are to be treated as * 57 | * including the terms and conditions of this license text as well. * 58 | * * 59 | * Because this license imposes special exceptions to the GPL, Covered * 60 | * Work may not be combined (even as part of a larger work) with plain GPL * 61 | * software. The terms, conditions, and exceptions of this license must * 62 | * be included as well. This license is incompatible with some other open * 63 | * source licenses as well. In some cases we can relicense portions of * 64 | * DRAKVUF or grant special permissions to use it in other open source * 65 | * software. Please contact tamas.k.lengyel@gmail.com with any such * 66 | * requests. Similarly, we don't incorporate incompatible open source * 67 | * software into Covered Software without special permission from the * 68 | * copyright holders. * 69 | * * 70 | * If you have any questions about the licensing restrictions on using * 71 | * DRAKVUF in other works, are happy to help. As mentioned above, * 72 | * alternative license can be requested from the author to integrate * 73 | * DRAKVUF into proprietary applications and appliances. Please email * 74 | * tamas.k.lengyel@gmail.com for further information. * 75 | * * 76 | * If you have received a written license agreement or contract for * 77 | * Covered Software stating terms other than these, you may choose to use * 78 | * and redistribute Covered Software under those terms instead of these. * 79 | * * 80 | * Source is provided to this software because we believe users have a * 81 | * right to know exactly what a program is going to do before they run it. * 82 | * This also allows you to audit the software for security holes. * 83 | * * 84 | * Source code also allows you to port DRAKVUF to new platforms, fix bugs, * 85 | * and add new features. You are highly encouraged to submit your changes * 86 | * on https://github.com/tklengyel/drakvuf, or by other methods. * 87 | * By sending these changes, it is understood (unless you specify * 88 | * otherwise) that you are offering unlimited, non-exclusive right to * 89 | * reuse, modify, and relicense the code. DRAKVUF will always be * 90 | * available Open Source, but this is important because the inability to * 91 | * relicense code has caused devastating problems for other Free Software * 92 | * projects (such as KDE and NASM). * 93 | * To specify special license conditions of your contributions, just say * 94 | * so when you send them. * 95 | * * 96 | * This program is distributed in the hope that it will be useful, but * 97 | * WITHOUT ANY WARRANTY; without even the implied warranty of * 98 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF * 99 | * license file for more details (it's in a COPYING file included with * 100 | * DRAKVUF, and also available from * 101 | * https://github.com/tklengyel/drakvuf/COPYING) * 102 | * * 103 | ***************************************************************************/ 104 | 105 | #ifndef PLUGINS_OUTPUT_FORMAT_H 106 | #define PLUGINS_OUTPUT_FORMAT_H 107 | 108 | #include "output_format/common.h" 109 | #include "output_format/csvfmt.h" 110 | #include "output_format/deffmt.h" 111 | #include "output_format/jsonfmt.h" 112 | #include "output_format/kvfmt.h" 113 | 114 | #include "output_format/xfmt.h" 115 | 116 | #endif 117 | -------------------------------------------------------------------------------- /src/plugins/procdump2/README.md: -------------------------------------------------------------------------------- 1 | # Abstract 2 | 3 | The _procdump_ plug-in dumps process's virtual memory on process termination. 4 | 5 | ## Description 6 | 7 | The plug-in hooks two system calls: 8 | * `NtTerminateProcess` is used to create new tasks. 9 | * `KiDeliverApc` is used for searching working process. 10 | 11 | ### `NtTerminateProcess` hook 12 | 13 | There are several reasons for hook callback occure: 14 | * The process terminates self. 15 | * The process terminates other. 16 | * The self-terminating process return from injected `PsSuspendProcess`. 17 | * The process evaluates `NtTerminateProcess` several times. 18 | 19 | #### Process terminates self 20 | 21 | For self-terminating process the new pending task is created and 22 | `PsSuspendProcess` is injected. 23 | 24 | #### Process terminates other 25 | 26 | If this is the case the new task is created and return from `NtTerminateProcess` 27 | is injected with `STATUS_SUCCESS`. The task requires to suspend target process. 28 | 29 | This is done to avoid poluting the callee context with function injection. 30 | Though this is a subject for change. 31 | 32 | #### The self-terminating process return from `PsSuspendProcess` 33 | 34 | For some reasons the suspended process could wake up: 35 | * `PsResumeProcess` injected on task completion. If this is the case finish the 36 | task. 37 | * Some system event. If this is the case re-inject `PsSuspendProcess`. 38 | 39 | #### `NtTerminatedProcess` been evaluated several times 40 | 41 | At least two reasons are known: 42 | * `kernel32!ExitProcess` calls `NtTerminateProcess` two times. 43 | * Some system event. May be OS job object completion. 44 | 45 | In both cases return from `NtTerminateProcess` is injected. 46 | 47 | ### `KiDeliverApc` hook 48 | 49 | The hook is used to search for _working thread_ and perform task's operation 50 | with injection chain. 51 | 52 | To achive this the task's _stage_ is checked: 53 | * If active task is found and return context matches the current one then 54 | continue processing. 55 | * Check if current thread is good candidate for task processing and if it is 56 | then process the task. 57 | 58 | #### Checking if thread could be used to process the task 59 | 60 | The candidate sould not be attached to other process and should not be 61 | terminated before task completion. 62 | 63 | It have been noticed that several system user space processes are good enougth 64 | to be used: _lsass_, _csrss_, _conhost_, _services_, _svchost_. Though there 65 | are no guaranties that this processes would not be terminated. 66 | 67 | For good candidate one have to check that it's IRQL is low with 68 | `KeGetCurrentIrql`. 69 | 70 | If target process not been suspended one have to inject `PsSuspendProcess`. 71 | 72 | ## The tasks state machine 73 | 74 | **TODO** Switch "allocate_pool" and "get_irql". 75 | 76 | ``` 77 | ┌────────────┐ ┌───────┬───────────┐ 78 | │need_suspend│ ┌──►│pending│ │ 79 | └──────┬─────┘ │ └─┬─────┘ │ 80 | │ │ │ ▲ │ 81 | │ │ │ │ │ 82 | ▼ │ ▼ │ ▼ 83 | ┌───────┐ │ ┌─────┴──┐ ┌─────────────┐ 84 | │suspend├───┘ │get_irql│◄──┤allocate_pool│ 85 | └───────┘ └───┬────┘ └─────────────┘ 86 | │ 87 | │ 88 | ▼ 89 | ┌───────────┐◄──┐ 90 | │copy_memory│ │ 91 | └─────┬─────┴───┘ 92 | │ 93 | │ 94 | ▼ 95 | ┌──────┐ 96 | ┌────┤resume├─────┐ 97 | │ └──────┘ │ 98 | │ │ 99 | │ │ 100 | ▼ ▼ 101 | ┌──────┐ ┌────────┐ 102 | │awaken│ │finished│ 103 | └──────┘ └────────┘ 104 | ``` 105 | 106 | ## FAQ 107 | 108 | ### Why `procdump_fail` occur? 109 | 110 | * On buffer allocation error (`ExAllocatePoolWithTag` return `NULL`). 111 | E.g. many tasks have been queued while waiting for working process. 112 | * On empty process memory map. 113 | Memory map is constructed based on VAD tree. 114 | -------------------------------------------------------------------------------- /src/plugins/rootkitmon/README.md: -------------------------------------------------------------------------------- 1 | # Abstract 2 | 3 | The _rootkitmon_ plug-in detects various rootkit techniques in kernel. 4 | 5 | ## Description 6 | 7 | List of things rootkitmon monitors: 8 | 9 | * `IDT`, `GDT` tables 10 | * `GDTR`, `IDTR`, `LSTAR` registers 11 | * `nonpaged, non writtable driver code sections` 12 | * `DriverOjbect, DeviceObject chain` 13 | * `FwpmCalloutAdd0` and `FltRegisterFilter` functions 14 | * `HalPrivateDispatchTable` 15 | * `g_CiEnabled` and `g_CiCallbacks` 16 | * `ObjectCallbacks` and `ObjectType` callbacks 17 | -------------------------------------------------------------------------------- /src/xen_helper/meson.build: -------------------------------------------------------------------------------- 1 | incdir = include_directories('../..') 2 | xc_incdir = dependency('xencontrol').get_pkgconfig_variable('includedir') 3 | xl_incdir = dependency('xenlight').get_pkgconfig_variable('includedir') 4 | xfm_incdir = dependency('xenforeignmemory').get_pkgconfig_variable('includedir') 5 | xtl_incdir = dependency('xentoollog').get_pkgconfig_variable('includedir') 6 | 7 | dl = meson.get_compiler('c').find_library('dl', required: true) 8 | 9 | xen_helper = static_library('xen_helper', 10 | 'xen_helper.c', 11 | 12 | include_directories : [incdir, xc_incdir], 13 | dependencies : [glib, dl] 14 | ) 15 | -------------------------------------------------------------------------------- /tools/rekall_linux_profile_fix.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import sys 4 | import json 5 | 6 | # to run: ./rekall_linux_profile_fix.sh 4.13.9-300.fc27.x86_64.json 7 | # will write output to 4.13.9-300.fc27.x86_64.json-2 8 | 9 | with open(sys.argv[-1], 'r') as orig_fh, \ 10 | open('%s-2' % sys.argv[-1], 'w') as new_fh: 11 | 12 | # Load json and find anonymous struct 13 | j = json.loads(orig_fh.read()) 14 | 15 | struct_offset = j['$STRUCTS']['task_struct'][1]['u1'][0] 16 | struct_name = j['$STRUCTS']['task_struct'][1]['u1'][1][0] 17 | 18 | print(struct_offset) 19 | print(struct_name) 20 | 21 | del j['$STRUCTS']['task_struct'][1]['u1'] 22 | 23 | # Move all of anon struct's members into task_struct 24 | for key, item in j['$STRUCTS'][struct_name][1].items(): 25 | print('%s -> %s' % (key, item)) 26 | item[0] += struct_offset 27 | print('%s -> %s' % (key, item)) 28 | j['$STRUCTS']['task_struct'][1][key] = item 29 | 30 | print(j['$STRUCTS']['task_struct'][0]) 31 | j['$STRUCTS']['task_struct'][0] += j['$STRUCTS'][struct_name][0] 32 | print(j['$STRUCTS']['task_struct'][0]) 33 | 34 | del j['$STRUCTS'][struct_name] 35 | 36 | # save modified profile 37 | json.dump(j, new_fh, sort_keys=True, indent=1,) 38 | -------------------------------------------------------------------------------- /tools/rpctestclient.py: -------------------------------------------------------------------------------- 1 | #********************IMPORTANT DRAKVUF LICENSE TERMS*********************# 2 | # # 3 | # DRAKVUF (C) 2014-2024 Tamas K Lengyel. # 4 | # Tamas K Lengyel is hereinafter referred to as the author. # 5 | # This program is free software; you may redistribute and/or modify it # 6 | # under the terms of the GNU General Public License as published by the # 7 | # Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE # 8 | # CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your # 9 | # right to use, modify, and redistribute this software under certain # 10 | # conditions. If you wish to embed DRAKVUF technology into proprietary # 11 | # software, alternative licenses can be aquired from the author. # 12 | # # 13 | # Note that the GPL places important restrictions on "derivative works", # 14 | # yet it does not provide a detailed definition of that term. To avoid # 15 | # misunderstandings, we interpret that term as broadly as copyright law # 16 | # allows. For example, we consider an application to constitute a # 17 | # derivative work for the purpose of this license if it does any of the # 18 | # following with any software or content covered by this license # 19 | # ("Covered Software"): # 20 | # # 21 | # o Integrates source code from Covered Software. # 22 | # # 23 | # o Reads or includes copyrighted data files. # 24 | # # 25 | # o Is designed specifically to execute Covered Software and parse the # 26 | # results (as opposed to typical shell or execution-menu apps, which will# 27 | # execute anything you tell them to). # 28 | # # 29 | # o Includes Covered Software in a proprietary executable installer. The# 30 | # installers produced by InstallShield are an example of this. Including# 31 | # DRAKVUF with other software in compressed or archival form does not # 32 | # trigger this provision, provided appropriate open source decompression # 33 | # or de-archiving software is widely available for no charge. For the # 34 | # purposes of this license, an installer is considered to include Covered# 35 | # Software even if it actually retrieves a copy of Covered Software from # 36 | # another source during runtime (such as by downloading it from the # 37 | # Internet). # 38 | # # 39 | # o Links (statically or dynamically) to a library which does any of the # 40 | # above. # 41 | # # 42 | # o Executes a helper program, module, or script to do any of the above. # 43 | # # 44 | # This list is not exclusive, but is meant to clarify our interpretation # 45 | # of derived works with some common examples. Other people may interpret# 46 | # the plain GPL differently, so we consider this a special exception to # 47 | # the GPL that we apply to Covered Software. Works which meet any of # 48 | # these conditions must conform to all of the terms of this license, # 49 | # particularly including the GPL Section 3 requirements of providing # 50 | # source code and allowing free redistribution of the work as a whole. # 51 | # # 52 | # Any redistribution of Covered Software, including any derived works, # 53 | # must obey and carry forward all of the terms of this license, including# 54 | # obeying all GPL rules and restrictions. For example, source code of # 55 | # the whole work must be provided and free redistribution must be # 56 | # allowed. All GPL references to "this License", are to be treated as # 57 | # including the terms and conditions of this license text as well. # 58 | # # 59 | # Because this license imposes special exceptions to the GPL, Covered # 60 | # Work may not be combined (even as part of a larger work) with plain GPL# 61 | # software. The terms, conditions, and exceptions of this license must # 62 | # be included as well. This license is incompatible with some other open# 63 | # source licenses as well. In some cases we can relicense portions of # 64 | # DRAKVUF or grant special permissions to use it in other open source # 65 | # software. Please contact tamas.k.lengyel@gmail.com with any such # 66 | # requests. Similarly, we don't incorporate incompatible open source # 67 | # software into Covered Software without special permission from the # 68 | # copyright holders. # 69 | # # 70 | # If you have any questions about the licensing restrictions on using # 71 | # DRAKVUF in other works, are happy to help. As mentioned above, # 72 | # alternative license can be requested from the author to integrate # 73 | # DRAKVUF into proprietary applications and appliances. Please email # 74 | # tamas.k.lengyel@gmail.com for further information. # 75 | # # 76 | # If you have received a written license agreement or contract for # 77 | # Covered Software stating terms other than these, you may choose to use # 78 | # and redistribute Covered Software under those terms instead of these. # 79 | # # 80 | # Source is provided to this software because we believe users have a # 81 | # right to know exactly what a program is going to do before they run it.# 82 | # This also allows you to audit the software for security holes. # 83 | # # 84 | # Source code also allows you to port DRAKVUF to new platforms, fix bugs,# 85 | # and add new features. You are highly encouraged to submit your changes# 86 | # on https://github.com/tklengyel/drakvuf, or by other methods. # 87 | # By sending these changes, it is understood (unless you specify # 88 | # otherwise) that you are offering unlimited, non-exclusive right to # 89 | # reuse, modify, and relicense the code. DRAKVUF will always be # 90 | # available Open Source, but this is important because the inability to # 91 | # relicense code has caused devastating problems for other Free Software # 92 | # projects (such as KDE and NASM). # 93 | # To specify special license conditions of your contributions, just say # 94 | # so when you send them. # 95 | # # 96 | # This program is distributed in the hope that it will be useful, but # 97 | # WITHOUT ANY WARRANTY; without even the implied warranty of # 98 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF # 99 | # license file for more details (it's in a COPYING file included with # 100 | # DRAKVUF, and also available from # 101 | # https://github.com/tklengyel/drakvuf/COPYING) # 102 | # # 103 | #************************************************************************# 104 | 105 | import xmlrpclib 106 | 107 | client = xmlrpclib.ServerProxy("http://localhost:8000/drakvuf") 108 | with open("test_file1", "rb") as handle: 109 | binary_data = xmlrpclib.Binary(handle.read()) 110 | client.drakvuf_receive_file("test_file2", binary_data) 111 | 112 | results = client.drakvuf_query_results("test_file2") 113 | with open("test_file3", "wb") as handle: 114 | handle.write(results.data) 115 | -------------------------------------------------------------------------------- /tools/tcpdump.sh: -------------------------------------------------------------------------------- 1 | #********************IMPORTANT DRAKVUF LICENSE TERMS*********************# 2 | # # 3 | # DRAKVUF (C) 2014-2024 Tamas K Lengyel. # 4 | # Tamas K Lengyel is hereinafter referred to as the author. # 5 | # This program is free software; you may redistribute and/or modify it # 6 | # under the terms of the GNU General Public License as published by the # 7 | # Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE # 8 | # CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your # 9 | # right to use, modify, and redistribute this software under certain # 10 | # conditions. If you wish to embed DRAKVUF technology into proprietary # 11 | # software, alternative licenses can be aquired from the author. # 12 | # # 13 | # Note that the GPL places important restrictions on "derivative works", # 14 | # yet it does not provide a detailed definition of that term. To avoid # 15 | # misunderstandings, we interpret that term as broadly as copyright law # 16 | # allows. For example, we consider an application to constitute a # 17 | # derivative work for the purpose of this license if it does any of the # 18 | # following with any software or content covered by this license # 19 | # ("Covered Software"): # 20 | # # 21 | # o Integrates source code from Covered Software. # 22 | # # 23 | # o Reads or includes copyrighted data files. # 24 | # # 25 | # o Is designed specifically to execute Covered Software and parse the # 26 | # results (as opposed to typical shell or execution-menu apps, which will# 27 | # execute anything you tell them to). # 28 | # # 29 | # o Includes Covered Software in a proprietary executable installer. The# 30 | # installers produced by InstallShield are an example of this. Including# 31 | # DRAKVUF with other software in compressed or archival form does not # 32 | # trigger this provision, provided appropriate open source decompression # 33 | # or de-archiving software is widely available for no charge. For the # 34 | # purposes of this license, an installer is considered to include Covered# 35 | # Software even if it actually retrieves a copy of Covered Software from # 36 | # another source during runtime (such as by downloading it from the # 37 | # Internet). # 38 | # # 39 | # o Links (statically or dynamically) to a library which does any of the # 40 | # above. # 41 | # # 42 | # o Executes a helper program, module, or script to do any of the above. # 43 | # # 44 | # This list is not exclusive, but is meant to clarify our interpretation # 45 | # of derived works with some common examples. Other people may interpret# 46 | # the plain GPL differently, so we consider this a special exception to # 47 | # the GPL that we apply to Covered Software. Works which meet any of # 48 | # these conditions must conform to all of the terms of this license, # 49 | # particularly including the GPL Section 3 requirements of providing # 50 | # source code and allowing free redistribution of the work as a whole. # 51 | # # 52 | # Any redistribution of Covered Software, including any derived works, # 53 | # must obey and carry forward all of the terms of this license, including# 54 | # obeying all GPL rules and restrictions. For example, source code of # 55 | # the whole work must be provided and free redistribution must be # 56 | # allowed. All GPL references to "this License", are to be treated as # 57 | # including the terms and conditions of this license text as well. # 58 | # # 59 | # Because this license imposes special exceptions to the GPL, Covered # 60 | # Work may not be combined (even as part of a larger work) with plain GPL# 61 | # software. The terms, conditions, and exceptions of this license must # 62 | # be included as well. This license is incompatible with some other open# 63 | # source licenses as well. In some cases we can relicense portions of # 64 | # DRAKVUF or grant special permissions to use it in other open source # 65 | # software. Please contact tamas.k.lengyel@gmail.com with any such # 66 | # requests. Similarly, we don't incorporate incompatible open source # 67 | # software into Covered Software without special permission from the # 68 | # copyright holders. # 69 | # # 70 | # If you have any questions about the licensing restrictions on using # 71 | # DRAKVUF in other works, are happy to help. As mentioned above, # 72 | # alternative license can be requested from the author to integrate # 73 | # DRAKVUF into proprietary applications and appliances. Please email # 74 | # tamas.k.lengyel@gmail.com for further information. # 75 | # # 76 | # If you have received a written license agreement or contract for # 77 | # Covered Software stating terms other than these, you may choose to use # 78 | # and redistribute Covered Software under those terms instead of these. # 79 | # # 80 | # Source is provided to this software because we believe users have a # 81 | # right to know exactly what a program is going to do before they run it.# 82 | # This also allows you to audit the software for security holes. # 83 | # # 84 | # Source code also allows you to port DRAKVUF to new platforms, fix bugs,# 85 | # and add new features. You are highly encouraged to submit your changes# 86 | # on https://github.com/tklengyel/drakvuf, or by other methods. # 87 | # By sending these changes, it is understood (unless you specify # 88 | # otherwise) that you are offering unlimited, non-exclusive right to # 89 | # reuse, modify, and relicense the code. DRAKVUF will always be # 90 | # available Open Source, but this is important because the inability to # 91 | # relicense code has caused devastating problems for other Free Software # 92 | # projects (such as KDE and NASM). # 93 | # To specify special license conditions of your contributions, just say # 94 | # so when you send them. # 95 | # # 96 | # This program is distributed in the hope that it will be useful, but # 97 | # WITHOUT ANY WARRANTY; without even the implied warranty of # 98 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the DRAKVUF # 99 | # license file for more details (it's in a COPYING file included with # 100 | # DRAKVUF, and also available from # 101 | # https://github.com/tklengyel/drakvuf/COPYING) # 102 | # # 103 | #************************************************************************# 104 | #!/bin/bash 105 | 106 | ARGC=$# 107 | if [ $ARGC -le 3 ]; then 108 | exit 0; 109 | fi 110 | 111 | VLAN=$1 112 | RUNFOLDER=$2 113 | RUNFILE=$3 114 | OUTPUTFOLDER=$4 115 | MD5=$(md5sum $RUNFOLDER/$RUNFILE | awk -F" " '{print $1}') 116 | 117 | tcpdump -i xenbr1.$VLAN -n -U -w $OUTPUTFOLDER/$MD5/tcpdump.pcap 1>/dev/null 2>&1 118 | 119 | exit $?; 120 | --------------------------------------------------------------------------------