Gecko [ www.thearyasamaj.org ]

Name	Size	Permission
common	[ DIR ]	drwxr-xr-x
syscall_hooks	[ DIR ]	drwxr-xr-x
transport	[ DIR ]	drwxr-xr-x
Kbuild	3.71 KB	-rw-r--r--
Makefile	2.2 KB	-rw-r--r--
compat.c	5.74 KB	-rw-r--r--
compat.h	6.94 KB	-rw-r--r--
debug.h	3.56 KB	-rw-r--r--
dkms.conf	146 B	-rw-r--r--
memory.h	529 B	-rw-r--r--
module.c	1.86 KB	-rw-r--r--
module_ref.h	421 B	-rw-r--r--
module_rundown_protection.c	3.6 KB	-rw-r--r--
module_rundown_protection.h	743 B	-rw-r--r--
rundown_protection.c	4.2 KB	-rw-r--r--
rundown_protection.h	2.83 KB	-rw-r--r--
stringify.h	261 B	-rw-r--r--
task_info_map.c	19.07 KB	-rw-r--r--
task_info_map.h	1.92 KB	-rw-r--r--
tracepoints.c	3.02 KB	-rw-r--r--
tracepoints.h	299 B	-rw-r--r--

Code Editor : tracepoints.c

/**
@file
@brief    'exec', 'exit' and 'fork' tracepoints
@details  Copyright (c) 2017-2021 Acronis International GmbH
@author   Mikhail Krivtsov (mikhail.krivtsov@acronis.com)
@since    $Id: $
*/

#include "tracepoints.h"

#include "compat.h"
#include "debug.h"
#include "exit_event.h"
#include "fork_event.h"
#include "memory.h"
#include "message.h"

#include <linux/binfmts.h>
#include <linux/dcache.h>	// d_path
#include <linux/file.h>		// fput()
#include <linux/fs.h>		// struct file
#include <linux/limits.h>	// PATH_MAX
#include <linux/mm.h>		// get_task_exe_file()
#include <linux/mm_types.h>	// struct mm_struct
#include <linux/path.h>		// struct path
#ifndef KERNEL_MOCK
#include <linux/sched.h>	// struct task_struct
#else
#include <mock/mock_sched.h>
#endif
#include <linux/tracepoint.h>
#include <linux/version.h>	// LINUX_VERSION_CODE, KERNEL_VERSION()
#include <trace/events/sched.h>	// TRACE_EVENT(sched_*)

static TRACE_CB_PROTO(sched_process_exit,
		TP_PROTO(struct task_struct *p))
{
	DPRINTF("exit() p=%p { pid=%d tgid=%d }", p, p->pid, p->tgid);
	exit_event_nowait(p->tgid, p->pid);
}

// FIXME: 'fork' tracepoint merges new processes into single meta process
// which can be 'white-listed'. Without 'exec' tracepoint 'grey' processes
// produced on 'exec' event can stay in 'white' list. It breaks heuristics
// operation and prevents malware detection.
#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
/*
 * Here the caller only guarantees locking for struct file and struct inode.
 * Locking must therefore be done in the probe to use the dentry.
 */
static TRACE_CB_PROTO(sched_process_fork,
		TP_PROTO(struct task_struct *current_macro,
				struct task_struct *p))
{
	DPRINTF("fork() current=%p { pid=%d tgid=%d comm='%s' } "
		"p=%p { pid=%d tgid=%d comm='%s' }",
		current_macro, current_macro->pid, current_macro->tgid,
				current_macro->comm,
		p, p->pid, p->tgid, p->comm);
	fork_event_nowait(current_macro->tgid, current_macro->pid, p->tgid, p->pid);
}
#endif

int tracepoints_attach(void)
{
	int ret;

ret = REGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
	if (ret) {
		EPRINTF("'register_trace_sched_process_exit()' failure %i", ret);
		goto unregister_exec;
	}

#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
	ret = REGISTER_TRACE(sched_process_fork, TRACE_CB_NAME(sched_process_fork));
	if (ret) {
		EPRINTF("'register_trace_sched_process_fork()' failure %i", ret);
		goto unregister_exit;
	}
#endif

IPRINTF("tracepoints attached");
	//ret = 0;	// Note: 'ret' is already 0 here
	goto out;

#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
unregister_exit:
#endif
	UNREGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
unregister_exec:
	tracepoint_synchronize_unregister();
out:
	return ret;
}

void tracepoints_detach(void)
{
#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
	UNREGISTER_TRACE(sched_process_fork, TRACE_CB_NAME(sched_process_fork));
#endif
	UNREGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
	tracepoint_synchronize_unregister();
	IPRINTF("tracepoints detached");
}

${this.title}

Code Editor : tracepoints.c