nitro.backends package

Subpackages

• nitro.backends.linux package
  • Submodules
  • nitro.backends.linux.arguments module
  • nitro.backends.linux.backend module
  • nitro.backends.linux.process module
  • Module contents
• nitro.backends.windows package
  • Submodules
  • nitro.backends.windows.arguments module
  • nitro.backends.windows.backend module
  • nitro.backends.windows.process module
  • nitro.backends.windows.types module
  • Module contents

Submodules

nitro.backends.arguments module

class nitro.backends.arguments.ArgumentMap(event, process)

Bases: object

ArgumentMap is a base class for providing access to system call arguments.

ARG_SIZE = {<SyscallType.syscall: 1>: 'P', <SyscallType.sysenter: 0>: 'I'}

arg_size_format

event

Underlying event

get_argument_value(arg_type, opaque)

modified

process

Process associated with the ArgumentMap

set_argument_value(arg_type, opaque, value)

class nitro.backends.arguments.SyscallArgumentType

Bases: enum.Enum

memory = 1

register = 0

nitro.backends.backend module

Backends process stream of NitroEvent objects and produce higher-level Systemcall events with operating-system-specific information such as Process that generated the event and arguments.

class nitro.backends.backend.Backend(domain, libvmi, listener, syscall_filtering=True)

Bases: object

Base class for Backends. Backend provides functionality for dispatching hooks and keeping statistics about processed events.

define_hook(name, callback, direction=<SyscallDirection.enter: 0>)

Register a new system call hook with the Backend.

Parameters:

• name (str) – Name of the system call to hook.
• callback (callable) – Callable to call when the hook is fired.
• direction (SyscallDirection) – Should the hook fire when system call is entered or exited.

dispatch_hooks(syscall)

domain

libvirt domain associated with the backend

hooks

Event hooks

libvmi

handle to libvmi

listener

Listener associated with the Backend

stats

Statistics about the backend

stop()

Stop the backend

syscall_filtering

Is system call filtering enabled for the backend

undefine_hook(name, direction=<SyscallDirection.enter: 0>)

Unregister a hook.

nitro.backends.factory module

exception nitro.backends.factory.BackendNotFoundError

Bases: Exception

nitro.backends.factory.get_backend(domain, listener, syscall_filtering)

Return a suitable backend based on guest operating system.

Parameters:domain – libvirt domain Returns:new backend instance Return type:Backend Raises:BackendNotFoundError

nitro.backends.process module

class nitro.backends.process.Process(libvmi, cr3)

Bases: object

Base class for processes. Process provides accesss to information about a particular process as well as a method for reading and writing its memory.

as_dict()

Returns a dictionary representing the process.

Return type:dict

cr3

libvmi

name

pid

read_memory(addr, count)

Read count bytes at address addr from the process’ address space.

Raises:LibvmiError

write_memory(addr, buffer)

Write buffer at address addr in the process’ address space.

Raises:LibvmiError

Module contents