Linux fixes for syscalls, filetracer and added linux support for fileextractor#1864
Open
lfreijo wants to merge 13 commits intotklengyel:mainfrom
Open
Linux fixes for syscalls, filetracer and added linux support for fileextractor#1864lfreijo wants to merge 13 commits intotklengyel:mainfrom
lfreijo wants to merge 13 commits intotklengyel:mainfrom
Conversation
Add NULL check for module_info->full_name before accessing its contents in enum_modules_cb(). Some kernel modules (e.g., certain drivers in PID 4) do not have a full_name populated, causing a SIGSEGV when syscalls is combined with other plugins. This was the root cause of the crash (exit 139) when running syscalls alongside procmon, filetracer, and other plugins. The crash occurred during module enumeration on Windows, before any syscall events could be captured. Tested with 6-plugin combo (syscalls + procmon + filetracer + fileextractor + memdump + tlsmon) - 73,570 events, clean exit. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Linux file operation tracing to filetracer plugin - Add Linux file extraction support to fileextractor plugin - Extend syscalls plugin with additional Linux syscall hooks - Fix linux_read_file buffer size bug (was using 0 instead of FILE_BUF_SIZE) - Fix linux_read_file missing INJECTOR_SUCCEEDED return code The filetracer and fileextractor plugins now support Linux guests, enabling file operation monitoring and file extraction capabilities for Linux-based analysis (including Android). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove fprintf(stderr, "[*-DEBUG]...") debug statements from: - syscalls/linux.cpp - syscalls/syscalls.cpp - filetracer/linux.cpp - plugins/plugins.cpp - Restore removed section comments in: - syscalls/linux.cpp (trap_syscall_table_entries_legacy) - filetracer/linux.h (hook declarations) - filetracer/linux.cpp (hook registrations) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix code formatting to pass CI astyle check. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The fileextractor plugin for Linux was failing on kernels < 6.x because it only attempted to hook x64_sys_call, which doesn't exist on older kernels. This adds a fallback to hook do_syscall_64 when x64_sys_call is not available, matching the behavior of the syscalls plugin. Tested on AlmaLinux 9 (kernel 5.14) where x64_sys_call is not present. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix enum shadowing error: reuse pt_regs definitions from filetracer_ns instead of duplicating them in fileextractor/linux.h. This fixes the -Wshadow error when building with -Dplugin-syscalls=false. - Fix autoconf build: add linux.cpp and linux.h to Makefile.am so they are included in the distribution tarball for make dist builds. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename fileextractor's Linux offset enum values to use FE_ prefix to avoid shadowing filetracer_ns::__LINUX_OFFSET_MAX when both headers are included together. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Cannot include filetracer/private.h due to macro conflicts with fileextractor/private.h (#define GENERIC_ALL, FILE_WRITE_DATA, etc.). Instead, define pt_regs and Linux offset enums locally with FE_ prefix to avoid shadowing filetracer_ns definitions. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…names The dispatcher hook callback (linux_cb) was incorrectly caching the syscall definition in params->sc, which persists across callback invocations. This caused all syscalls after the first to report the same Method name. Fix: Save original_sc at callback start and reset params->sc to nullptr after processing for dispatcher hooks, ensuring dynamic syscall lookup on each invocation. Also pass syscall definition explicitly to print_syscall() rather than re-reading from params, and set info->trap->name to display the actual syscall name in the Method field. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Enable capturing futex (Fast Userspace Mutex) operations on Linux/Android by defining the syscall arguments: uaddr, futex_op, val, timeout, uaddr2, val3. This allows downstream parsers to track mutex-like behavior on Linux systems, similar to how NtCreateMutant/NtOpenMutant are tracked on Windows. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract dispatcher hook lookup logic to separate helper function lookup_syscall_for_dispatcher() to reduce nesting and complexity of the main callback. This addresses CI cognitive-complexity check threshold of 25. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Collaborator
|
Can one of the admins verify this patch? |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| __NR_openat2 = 437, | ||
| }; | ||
|
|
||
| static const char* get_syscall_name(uint64_t nr) |
Check warning
Code scanning / CodeQL
Poorly documented large function Warning
Owner
|
@drakvuf-jenkins Test this please |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Creating this again. I noticed that half the commits that I made from a different machine had the wrong author info in the git history.
Tested on :
AlmaLinux 9 (linux 5.14.0)
Ubuntu 22.04 (linux 5.15.0)
BlissOS (Android 14/linux 6.6)
Ubuntu 24.04 (linux 6.8.0)