Skip to content

Commit

Permalink
added syscall information to init_module event
Browse files Browse the repository at this point in the history
Signed-off-by: qjerome <qjerome@rawsec.lu>
  • Loading branch information
qjerome committed Feb 13, 2024
1 parent 9b85d44 commit 0d7b278
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 0 deletions.
9 changes: 9 additions & 0 deletions kunai-common/src/bpf_events/events/init_module.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,15 @@ pub enum InitModuleArgs {
FInit(FInit),
}

impl InitModuleArgs {
pub const fn syscall_name(&self) -> &'static str {
match self {
Self::Init(_) => "init_module",
Self::FInit(_) => "finit_module",
}
}
}

impl InitModuleArgs {
pub fn uargs(&self) -> u64 {
match self {
Expand Down
1 change: 1 addition & 0 deletions kunai/src/bin/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -810,6 +810,7 @@ impl EventProcessor {
ancestors: self.get_ancestors_string(&info),
command_line,
exe: exe.into(),
syscall: event.data.args.syscall_name().into(),
module_name: event.data.name.to_string(),
args: event.data.uargs.to_string(),
loaded: event.data.loaded,
Expand Down
1 change: 1 addition & 0 deletions kunai/src/events.rs
Original file line number Diff line number Diff line change
Expand Up @@ -576,6 +576,7 @@ pub struct InitModuleData {
pub ancestors: String,
pub command_line: String,
pub exe: File,
pub syscall: String,
pub module_name: String,
pub args: String,
pub loaded: bool,
Expand Down

0 comments on commit 0d7b278

Please sign in to comment.