nitro.backends.linux package

Submodules

nitro.backends.linux.arguments module

class nitro.backends.linux.arguments.LinuxArgumentMap(event, process)

Bases: nitro.backends.arguments.ArgumentMap

LinuxArgumentMap provides read and write access to system call arguments.

CONVENTION = {<SyscallType.syscall: 1>: [(<SyscallArgumentType.register: 0>, 'rdi'), (<SyscallArgumentType.register: 0>, 'rsi'), (<SyscallArgumentType.register: 0>, 'rdx'), (<SyscallArgumentType.register: 0>, 'r10'), (<SyscallArgumentType.register: 0>, 'r8'), (<SyscallArgumentType.register: 0>, 'r9')], <SyscallType.sysenter: 0>: [(<SyscallArgumentType.register: 0>, 'rbx'), (<SyscallArgumentType.register: 0>, 'rcx'), (<SyscallArgumentType.register: 0>, 'rdx'), (<SyscallArgumentType.register: 0>, 'rsi'), (<SyscallArgumentType.register: 0>, 'rdi'), (<SyscallArgumentType.register: 0>, 'rbp')]}

nitro.backends.linux.backend module

Backend for extracting information about system calls from Linux guests.

class nitro.backends.linux.backend.LinuxBackend(domain, libvmi, listener, syscall_filtering=True)

Bases: nitro.backends.backend.Backend

Extract information about system calls produced by the guest. This backend support 64-bit Linux guests.

add_syscall_filter(syscall_name)
associate_process(cr3)

Get LinuxProcess associated with cr3 :params int cr3: cr3 value :returns: process associated with cr3 :rtype: LinuxProcess

build_syscall_name_map()
define_hook(name, callback, direction=<SyscallDirection.enter: 0>)
find_syscall_nb(syscall_name)
get_syscall_name(rax)

Return name of the system call handler associated with rax.

Parameters:rax (int) – index into system call table.
Returns:system call handler name
Return type:str
mm_offset
nb_vcpu
pgd_offset
process_event(event)

Process NitroEvent and return a matching Systemcall. This function analyzes system state and, based on it, produces a new Systemcall that contains higher-level information about the system call that is being processed.

Parameters:event (NitroEvent) – event to be analyzed
Returns:system call based on event.
Return type:Systemcall
remove_syscall_filter(syscall_name)
sys_call_table_addr
syscall_names
syscall_stack
tasks_offset
undefine_hook(name, direction=<SyscallDirection.enter: 0>)
nitro.backends.linux.backend.clean_name(name)

nitro.backends.linux.process module

class nitro.backends.linux.process.LinuxProcess(libvmi, cr3, task_struct)

Bases: nitro.backends.process.Process

Class representing a Linux process

name

Name of the processs

pid

Proces PID

task_struct

Kernel task_struct for the process

Module contents