New plugin etwmon (#1553)

* new plugin etwmon

* add readme and meson build

* run astyle

* duh

configure.ac

@@ -562,6 +562,16 @@ if test x$plugin_unixsocketmon = xyes; then
   AC_DEFINE_UNQUOTED(ENABLE_PLUGIN_UNIXSOCKETMON, 1, "")
 fi
 
+AC_ARG_ENABLE([plugin_etwmon],
+  [AS_HELP_STRING([--disable-plugin-etwmon],
+    [Enable the epbfmon plugin @<:@yes@:>@])],
+  [plugin_etwmon="$enableval"],
+  [plugin_etwmon="yes"])
+AM_CONDITIONAL([PLUGIN_ETWMON], [test x$plugin_etwmon = xyes])
+if test x$plugin_etwmon = xyes; then
+  AC_DEFINE_UNQUOTED(ENABLE_PLUGIN_ETWMON, 1, "")
+fi
+
 #####################################################
 
 AC_ARG_ENABLE([repl],
@@ -875,6 +885,7 @@ Rootkitmon:         $plugin_rootkitmon
 Spraymon:           $plugin_spraymon
 Callbackmon:        $plugin_callbackmon
 HideVM:             $plugin_hidevm
+Etwmon:             $plugin_etwmon
 -------------------------------------------------------------------------------
 Deprecated Plugins
 WMIMon:             $plugin_wmimon

meson_options.txt

@@ -39,6 +39,7 @@ option('plugin-hidevm', type : 'boolean', value : true)
 option('plugin-ptracemon', type : 'boolean', value : true)
 option('plugin-ebpfmon', type : 'boolean', value : true)
 option('plugin-unixsocketmon', type : 'boolean', value : true)
+option('plugin-etwmon', type : 'boolean', value : true)
 
 # Disabled by default plugins
 option('plugin-libhooktest', type : 'boolean', value : 'false')

src/plugins/Makefile.am

@@ -383,6 +383,12 @@ sources += unixsocketmon/unixsocketmon.h
 sources += unixsocketmon/private.h
 endif
 
+if PLUGIN_ETWMON
+sources += etwmon/etwmon.cpp
+sources += etwmon/etwmon.h
+sources += etwmon/private.h
+endif
+
 ###############################################################################
 sources += plugins.cpp plugins.h plugins_ex.cpp plugins_ex.h plugin_utils.cpp plugin_utils.h private.h type_traits_helpers.h hook_helpers.h
 sources += output_format.h output_format/common.h output_format/csvfmt.h output_format/deffmt.h output_format/jsonfmt.h output_format/kvfmt.h

src/plugins/etwmon/README.md

@@ -0,0 +1,14 @@
+# Abstract
+
+The _etwmon_ plug-in detects various etw-related modifications in windows kernel.
+
+## Description
+
+List of things etwmon monitors:
+
+* Global ETW handles: `EtwpPsProvRegHandle`, `EtwpRegTraceHandle`, etc
+* Global ETW Callback pointers: `EtwpDiskIoNotifyRoutines`, `EtwpFileIoNotifyRoutines`, etc
+* ETW Loggers: `GetCPUClock` aka `infinity hook` technique, `CallbackContext`
+* ETW Providers: `ProviderEnableInfo`, etc
+
+Checks are made at the end of analysis and don't affect vm performance.

src/plugins/etwmon/etwmon.h

@@ -0,0 +1,150 @@
+/*********************IMPORTANT DRAKVUF LICENSE TERMS***********************
+ *                                                                         *
+ * DRAKVUF (C) 2014-2022 Tamas K Lengyel.                                  *
+ * Tamas K Lengyel is hereinafter referred to as the author.               *
+ * This program is free software; you may redistribute and/or modify it    *
+ * under the terms of the GNU General Public License as published by the   *
+ * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE   *
+ * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN.  This guarantees your   *
+ * right to use, modify, and redistribute this software under certain      *
+ * conditions.  If you wish to embed DRAKVUF technology into proprietary   *
+ * software, alternative licenses can be acquired from the author.         *
+ *                                                                         *
+ * Note that the GPL places important restrictions on "derivative works",  *
+ * yet it does not provide a detailed definition of that term.  To avoid   *
+ * misunderstandings, we interpret that term as broadly as copyright law   *
+ * allows.  For example, we consider an application to constitute a        *
+ * derivative work for the purpose of this license if it does any of the   *
+ * following with any software or content covered by this license          *
+ * ("Covered Software"):                                                   *
+ *                                                                         *
+ * o Integrates source code from Covered Software.                         *
+ *                                                                         *
+ * o Reads or includes copyrighted data files.                             *
+ *                                                                         *
+ * o Is designed specifically to execute Covered Software and parse the    *
+ * results (as opposed to typical shell or execution-menu apps, which will *
+ * execute anything you tell them to).                                     *
+ *                                                                         *
+ * o Includes Covered Software in a proprietary executable installer.  The *
+ * installers produced by InstallShield are an example of this.  Including *
+ * DRAKVUF with other software in compressed or archival form does not     *
+ * trigger this provision, provided appropriate open source decompression  *
+ * or de-archiving software is widely available for no charge.  For the    *
+ * purposes of this license, an installer is considered to include Covered *
+ * Software even if it actually retrieves a copy of Covered Software from  *
+ * another source during runtime (such as by downloading it from the       *
+ * Internet).                                                              *
+ *                                                                         *
+ * o Links (statically or dynamically) to a library which does any of the  *
+ * above.                                                                  *
+ *                                                                         *
+ * o Executes a helper program, module, or script to do any of the above.  *
+ *                                                                         *
+ * This list is not exclusive, but is meant to clarify our interpretation  *
+ * of derived works with some common examples.  Other people may interpret *
+ * the plain GPL differently, so we consider this a special exception to   *
+ * the GPL that we apply to Covered Software.  Works which meet any of     *
+ * these conditions must conform to all of the terms of this license,      *
+ * particularly including the GPL Section 3 requirements of providing      *
+ * source code and allowing free redistribution of the work as a whole.    *
+ *                                                                         *
+ * Any redistribution of Covered Software, including any derived works,    *
+ * must obey and carry forward all of the terms of this license, including *
+ * obeying all GPL rules and restrictions.  For example, source code of    *
+ * the whole work must be provided and free redistribution must be         *
+ * allowed.  All GPL references to "this License", are to be treated as    *
+ * including the terms and conditions of this license text as well.        *
+ *                                                                         *
+ * Because this license imposes special exceptions to the GPL, Covered     *
+ * Work may not be combined (even as part of a larger work) with plain GPL *
+ * saoftware.  The terms, conditions, and exceptions of this license must   *
+ * be included as well.  This license is incompatible with some other open *
+ * source licenses as well.  In some cases we can relicense portions of    *
+ * DRAKVUF or grant special permissions to use it in other open source     *
+ * software.  Please contact tamas.k.lengyel@gmail.com with any such       *
+ * requests.  Similarly, we don't incorporate incompatible open source     *
+ * software into Covered Software without special permission from the      *
+ * copyright holders.                                                      *
+ *                                                                         *
+ * If you have any questions about the licensing restrictions on using     *
+ * DRAKVUF in other works, are happy to help.  As mentioned above,         *
+ * alternative license can be requested from the author to integrate       *
+ * DRAKVUF into proprietary applications and appliances.  Please email     *
+ * tamas.k.lengyel@gmail.com for further information.                      *
+ *                                                                         *
+ * If you have received a written license agreement or contract for        *
+ * Covered Software stating terms other than these, you may choose to use  *
+ * and redistribute Covered Software under those terms instead of these.   *
+ *                                                                         *
+ * Source is provided to this software because we believe users have a     *
+ * right to know exactly what a program is going to do before they run it. *
+ * This also allows you to audit the software for security holes.          *
+ *                                                                         *
+ * Source code also allows you to port DRAKVUF to new platforms, fix bugs, *
+ * and add new features.  You are highly encouraged to submit your changes *
+ * on https://github.com/tklengyel/drakvuf, or by other methods.           *
+ * By sending these changes, it is understood (unless you specify          *
+ * otherwise) that you are offering unlimited, non-exclusive right to      *
+ * reuse, modify, and relicense the code.  DRAKVUF will always be          *
+ * available Open Source, but this is important because the inability to   *
+ * relicense code has caused devastating problems for other Free Software  *
+ * projects (such as KDE and NASM).                                        *
+ * To specify special license conditions of your contributions, just say   *
+ * so when you send them.                                                  *
+ *                                                                         *
+ * This program is distributed in the hope that it will be useful, but     *
+ * WITHOUT ANY WARRANTY; without even the implied warranty of              *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the DRAKVUF   *
+ * license file for more details (it's in a COPYING file included with     *
+ * DRAKVUF, and also available from                                        *
+ * https://github.com/tklengyel/drakvuf/COPYING)                           *
+ *                                                                         *
+ ***************************************************************************/
+#pragma once
+
+#include "plugins/plugins_ex.h"
+#include "private.h"
+
+class etwmon : public pluginex
+{
+public:
+    etwmon(drakvuf_t drakvuf, output_format_t output);
+    virtual bool stop_impl() override;
+
+    etwmon(const etwmon& other);
+    void report(drakvuf_t drakvuf, const char* type, const char* name, const char* action);
+
+    bool is_supported(drakvuf_t drakvuf, bool quite);
+    void enumerate_loggers(vmi_instance_t vmi);
+    void enumerate_providers(vmi_instance_t vmi);
+    void enumerate_callbacks(vmi_instance_t vmi);
+    void enumerate_handles(vmi_instance_t vmi);
+
+    output_format_t format;
+    win_build_info_t winver;
+    size_t address_width;
+
+    std::array<size_t, etwmon_ns::__OFFSET_MAX> offsets;
+
+    addr_t logger_cb_ctx_rva;
+    addr_t etw_state_rva;
+    addr_t hash_table_rva;
+    addr_t logger_settings_rva;
+    addr_t active_loggers_rva;
+    addr_t silo_globals_va;
+    addr_t bucket_size;
+    addr_t list_entry_size;
+
+    addr_t guid_list_head_va;
+    addr_t etw_debugger_data_va;
+    uint32_t active_system_loggers;
+
+    std::vector<addr_t> global_handles_va;
+    std::vector<addr_t> global_callbacks_va;
+
+    std::vector<etwmon_ns::wmi_logger_t> loggers;
+    std::vector<etwmon_ns::provider_t>   providers;
+    std::vector<addr_t>                  global_handles;
+    std::vector<addr_t>                  global_callbacks;
+};