search

KVM-VMI / kvm-vmi

KVM-based Virtual Machine Introspection
https://kvm-vmi.github.io/kvm-vmi/master/
314 stars 60 forks source link

A hooking API allows you to define callbacks on top of the system calls you intercept #25

Open qth1991 opened 6 years ago

qth1991 commented 6 years ago

Hi, I can only get “event” and “name” now,How can we get hook ? This is my my

Here is your yy

Wenzel commented 6 years ago

Did you modified the syscall.hook dict while in the callback ? Look at the example.

Wenzel commented 6 years ago

Use define_hook: https://github.com/KVM-VMI/nitro/blob/master/nitro/backends/backend.py#L80

define a callback and pass it to this method.

def callback(syscall, backend):
    ...

    self.nitro.backend.define_hook('NtOpenFile', callback)
Wenzel commented 6 years ago

You can try to remove the definition of the hook, this will intercept all syscalls. Check if you have NtOpenFile in one of them.

Otherwise you need to investigate by yourself.