allow parsers to modify original fmt args. add linux parsers

psolvx · psolvx · commit e92e096cb2a1 · 2025-09-25T18:21:20.000+02:00
diff --git a/src/plugins/syscalls/linux.cpp b/src/plugins/syscalls/linux.cpp
@@ -402,6 +402,47 @@ bool linux_syscalls::trap_syscall_table_entries(drakvuf_t drakvuf)
     return check;
 }
 
+void linux_syscalls::register_parsers()
+{
+    syscalls_base::register_parsers();
+
+    m_type_parsers[linux_intmask_prot_]= [this](
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
+            const syscalls_ns::arg_t& arg, drakvuf_trap_info_t* info, uint64_t value,
+            const std::vector<uint64_t>& all_args)
+    {
+        if (value == 0)
+        {
+            find_replace_arg(original_args, std::string(arg.name), fmt::Qstr("PROT_NONE"));
+        }
+        else
+        {
+            find_replace_arg(original_args, std::string(arg.name), fmt::Qstr(parse_flags(value, mmap_prot, m_output_format)));
+        }
+    };
+
+    m_type_parsers[linux_intopt_pr_]= [](
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
+            const syscalls_ns::arg_t& arg, drakvuf_trap_info_t* info, uint64_t value,
+            const std::vector<uint64_t>& all_args)
+    {
+        if (prctl_option.find(value) != prctl_option.end())
+        {
+            find_replace_arg(original_args, std::string(arg.name), fmt::Qstr(prctl_option.at(value)));
+        }
+    };
+
+    m_type_parsers[linux_intopt_arch_]= [](
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
+            const syscalls_ns::arg_t& arg, drakvuf_trap_info_t* info, uint64_t value,
+            const std::vector<uint64_t>& all_args)
+    {
+        if (arch_prctl_code.find(value) != arch_prctl_code.end())
+        {
+            find_replace_arg(original_args, std::string(arg.name), fmt::Qstr(arch_prctl_code.at(value)));
+        }
+    };
+}
 
 linux_syscalls::linux_syscalls(drakvuf_t drakvuf, const syscalls_config* config, output_format_t output) : syscalls_base(drakvuf, config, output)
 {
@@ -413,4 +454,6 @@ linux_syscalls::linux_syscalls(drakvuf_t drakvuf, const syscalls_config* config,
 
     if (!this->trap_syscall_table_entries(drakvuf))
         PRINT_DEBUG("[SYSCALLS] Failed to set breakpoints on some syscalls.\n");
+
+    register_parsers();
 }
diff --git a/src/plugins/syscalls/linux.h b/src/plugins/syscalls/linux.h
@@ -130,6 +130,9 @@ class linux_syscalls : public syscalls_base
     bool trap_syscall_table_entries(drakvuf_t drakvuf);
 
     linux_syscalls(drakvuf_t drakvuf, const syscalls_config* config, output_format_t output);
+
+protected:
+    void register_parsers() override;
 };
 namespace syscalls_ns
 {
diff --git a/src/plugins/syscalls/private_2.h b/src/plugins/syscalls/private_2.h
@@ -144,6 +144,7 @@ class syscalls_base : public pluginex
 
     using arg_parser_t = std::function<void(
             syscalls_base* base,
+            fmt_args_t& original_args,
             fmt_args_t& extra_args,
             const syscalls_ns::syscall_t* sc,
             const syscalls_ns::arg_t& arg_to_parse,
@@ -155,6 +156,7 @@ class syscalls_base : public pluginex
     void print_sysret(drakvuf_t drakvuf, drakvuf_trap_info_t* info, int nr, const char* extra_info = nullptr);
     uint64_t value_from_uint64(syscalls_ns::arg_type_t type, uint64_t val);
     bool read_syscalls_list(const char* syscall_list_file);
+    static void find_replace_arg(std::vector<std::pair<std::string, fmt::Aarg>>& vec, const std::string& key, const fmt::Aarg& newValue);
 
     static std::optional<uint64_t> get_arg_value_by_name(
         const syscalls_ns::syscall_t* sc,
diff --git a/src/plugins/syscalls/syscalls.cpp b/src/plugins/syscalls/syscalls.cpp
@@ -214,7 +214,7 @@ void syscalls_base::fill_fmt_args(
 
         if (parser)
         {
-            parser(this, extra_args, sc, arg_to_parse, info, value_to_parse, args);
+            parser(this, original_args, extra_args, sc, arg_to_parse, info, value_to_parse, args);
         }
         else if (dereferenced_value)
         {
@@ -249,6 +249,21 @@ static std::string rstrip(std::string s)
     return s;
 }
 
+void syscalls_base::find_replace_arg(std::vector<std::pair<std::string, fmt::Aarg>>& vec, const std::string& key, const fmt::Aarg& newValue)
+{
+    auto it = std::find_if(vec.begin(), vec.end(),
+            [&key](const std::pair<std::string, fmt::Aarg>& element)
+    {
+        return element.first == key;
+    }
+        );
+
+    if (it != vec.end())
+    {
+        it->second = newValue;
+    }
+}
+
 bool syscalls_base::read_syscalls_list(const char* syscall_list_file)
 {
     std::ifstream file(syscall_list_file);
@@ -285,7 +300,7 @@ bool syscalls_base::read_syscalls_list(const char* syscall_list_file)
 void syscalls_base::register_parsers()
 {
     auto ascii_string_parser = [](
-            syscalls_base* base, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
             const syscalls_ns::arg_t& arg, drakvuf_trap_info_t* info, uint64_t value,
             const std::vector<uint64_t>& all_args)
     {
@@ -294,7 +309,7 @@ void syscalls_base::register_parsers()
         char* cstr = drakvuf_read_ascii_str(base->drakvuf, info, value);
         if (cstr)
         {
-            extra_args.push_back(keyval(std::string(arg.name), fmt::Estr(std::string(cstr))));
+            find_replace_arg(original_args, std::string(arg.name), fmt::Estr(std::string(cstr)));
             g_free(cstr);
         }
     };
diff --git a/src/plugins/syscalls/win.cpp b/src/plugins/syscalls/win.cpp
@@ -869,7 +869,7 @@ void win_syscalls::register_parsers()
 
     // name based parsers
     m_name_parsers["ProcessHandle"] = [](
-            syscalls_base* base, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
             const syscalls_ns::arg_t& arg, drakvuf_trap_info_t* info, uint64_t value,
             const std::vector<uint64_t>& all_args)
     {
@@ -897,7 +897,7 @@ void win_syscalls::register_parsers()
     };
 
     m_name_parsers["ThreadHandle"] = [](
-            syscalls_base* base, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
             const syscalls_ns::arg_t& arg, drakvuf_trap_info_t* info, uint64_t value,
             const std::vector<uint64_t>& all_args)
     {
@@ -929,48 +929,48 @@ void win_syscalls::register_parsers()
     };
 
     m_name_parsers["FileHandle"] = [](
-            syscalls_base* base, fmt_args_t& extra_args, const auto* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const auto* sc,
             const auto& arg, auto* info, uint64_t value, const auto& all_args)
     {
         if (value == 0) return;
         char* cstr = drakvuf_get_filename_from_handle(base->drakvuf, info, value);
         if (cstr)
         {
-            extra_args.push_back(keyval(std::string(arg.name) + "_Path", fmt::Estr(std::string(cstr))));
+            find_replace_arg(original_args, std::string(arg.name), fmt::Estr(std::string(cstr)));
             g_free(cstr);
         }
     };
 
     // type based parsers
     m_type_parsers[PUNICODE_STRING] = [](
-            syscalls_base* base, fmt_args_t& extra_args, const auto* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const auto* sc,
             const auto& arg, auto* info, uint64_t value, const auto& all_args)
     {
         if (value == 0) return;
         unicode_string_t* us = drakvuf_read_unicode(base->drakvuf, info, value);
         if (us)
         {
-            extra_args.push_back(keyval(std::string(arg.name), fmt::Estr(std::string((char*)us->contents))));
+            find_replace_arg(original_args, std::string(arg.name), fmt::Estr(std::string((char*)us->contents)));
             vmi_free_unicode_str(us);
         }
     };
 
     m_type_parsers[POBJECT_ATTRIBUTES] = [](
-            syscalls_base* base, fmt_args_t& extra_args, const auto* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const auto* sc,
             const auto& arg, auto* info, uint64_t value, const auto& all_args)
     {
         if (value == 0) return;
         char* cstr = drakvuf_get_filename_from_object_attributes(base->drakvuf, info, value);
         if (cstr)
         {
-            extra_args.push_back(keyval(std::string(arg.name), fmt::Estr(std::string(cstr))));
+            find_replace_arg(original_args, std::string(arg.name), fmt::Estr(std::string(cstr)));
             g_free(cstr);
         }
     };
 
     // resolve registers commonly used in process injection from context parameter
     m_type_parsers[PCONTEXT] = [](
-            syscalls_base* base, fmt_args_t& extra_args, const auto* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const auto* sc,
             const auto& arg, auto* info, uint64_t value, const auto& all_args)
     {
         if (value == 0) return;
@@ -1005,7 +1005,7 @@ void win_syscalls::register_parsers()
     // syscall name + arg name based parsers
     m_syscall_arg_parsers[ {"NtSetInformationThread", "ThreadInformation"}] =
         [](
-            syscalls_base* base, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
+            syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,
             const syscalls_ns::arg_t& arg_to_parse, drakvuf_trap_info_t* info,
             uint64_t value_to_parse, const std::vector<uint64_t>& all_args)
     {

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,9 @@ class linux_syscalls : public syscalls_base`
`130`	`130`	`bool trap_syscall_table_entries(drakvuf_t drakvuf);`
`131`	`131`
`132`	`132`	`linux_syscalls(drakvuf_t drakvuf, const syscalls_config* config, output_format_t output);`
	`133`	`+`
	`134`	`+protected:`
	`135`	`+ void register_parsers() override;`
`133`	`136`	`};`
`134`	`137`	`namespace syscalls_ns`
`135`	`138`	`{`
Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ void syscalls_base::fill_fmt_args(`
`214`	`214`
`215`	`215`	`if (parser)`
`216`	`216`	`{`
`217`		`- parser(this, extra_args, sc, arg_to_parse, info, value_to_parse, args);`
	`217`	`+ parser(this, original_args, extra_args, sc, arg_to_parse, info, value_to_parse, args);`
`218`	`218`	`}`
`219`	`219`	`else if (dereferenced_value)`
`220`	`220`	`{`
`@@ -249,6 +249,21 @@ static std::string rstrip(std::string s)`
`249`	`249`	`return s;`
`250`	`250`	`}`
`251`	`251`
	`252`	`+void syscalls_base::find_replace_arg(std::vector<std::pair<std::string, fmt::Aarg>>& vec, const std::string& key, const fmt::Aarg& newValue)`
	`253`	`+{`
	`254`	`+ auto it = std::find_if(vec.begin(), vec.end(),`
	`255`	`+ [&key](const std::pair<std::string, fmt::Aarg>& element)`
	`256`	`+ {`
	`257`	`+ return element.first == key;`
	`258`	`+ }`
	`259`	`+ );`
	`260`	`+`
	`261`	`+ if (it != vec.end())`
	`262`	`+ {`
	`263`	`+ it->second = newValue;`
	`264`	`+ }`
	`265`	`+}`
	`266`	`+`
`252`	`267`	`bool syscalls_base::read_syscalls_list(const char* syscall_list_file)`
`253`	`268`	`{`
`254`	`269`	`std::ifstream file(syscall_list_file);`
`@@ -285,7 +300,7 @@ bool syscalls_base::read_syscalls_list(const char* syscall_list_file)`
`285`	`300`	`void syscalls_base::register_parsers()`
`286`	`301`	`{`
`287`	`302`	`auto ascii_string_parser = [](`
`288`		`- syscalls_base* base, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,`
	`303`	`+ syscalls_base* base, fmt_args_t& original_args, fmt_args_t& extra_args, const syscalls_ns::syscall_t* sc,`
`289`	`304`	`const syscalls_ns::arg_t& arg, drakvuf_trap_info_t* info, uint64_t value,`
`290`	`305`	`const std::vector<uint64_t>& all_args)`
`291`	`306`	`{`
`@@ -294,7 +309,7 @@ void syscalls_base::register_parsers()`
`294`	`309`	`char* cstr = drakvuf_read_ascii_str(base->drakvuf, info, value);`
`295`	`310`	`if (cstr)`
`296`	`311`	`{`
`297`		`- extra_args.push_back(keyval(std::string(arg.name), fmt::Estr(std::string(cstr))));`
	`312`	`+ find_replace_arg(original_args, std::string(arg.name), fmt::Estr(std::string(cstr)));`
`298`	`313`	`g_free(cstr);`
`299`	`314`	`}`
`300`	`315`	`};`