keep an eye on probelkm forks

cuckoosandbox · Jul 6, 2015 · de85e4e · de85e4e
1 parent 4da2e72
commit de85e4e
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/analyzer/linux/modules/auxiliary/lkm.py b/analyzer/linux/modules/auxiliary/lkm.py
@@ -18,6 +18,7 @@ class LKM(Auxiliary):
 
     def __init__(self):
         self.config = Config(cfg="analysis.conf")
+        self.pids_reported = set()
 
     def start(self):
         # highest priority: if the vm config specifies the path
@@ -39,6 +40,24 @@ def start(self):
         os.system("insmod %s trace_descendants=1 target_pid=%u" % (path, os.getpid()))
         return True
 
+    def get_pids(self):
+        new = []
+
+        fd = open("/var/log/kern.log")
+        for line in fd:
+            if not "[probelkm]" in line: continue
+            pos1 = line.find("forked to ")
+            pos2 = line.find("@", pos1+10)
+            forked_pid = int(line[pos1+10:pos2])
+
+            if forked_pid in self.pids_reported:
+                continue
+
+            self.pids_reported.add(forked_pid)
+            new.append(forked_pid)
+
+        return new
+
     def stop(self):
         # i guess we don't need to unload at all
         #os.system("rmmod probelkm")