post injection failed to init, drakvuf will not run, stop at polling loop

[cvcachagua]

I had previously run injection and I received in the output "inject..,Shellcode,InitFail"
As an aside, is there any start sequence/stop sequence, or is the shellcode just a sequence of values: e.g.; file == \xeb\x06\x48...

After which I could not run drakvuf again, the tool just stops. The VM guest would work slowly for one command, then freeze up.

I have since reset my code hard to the origin
Now version FETCH_HEAD shows 95d1759
I have configure --enable-debug and --disable-plugin ...I perform this in a shell script because the line is so long.
I ran drakvuf with verbose, -v: # src/drakvuf -v -r /root/vm2.json -d 15 2>&1 |tee myoutfile
The output shows "starting plugin " -- perhaps I should assume that the plugins are attempted, but do not start? This is confusing and does not show syscalls as being run, while the other plugins are not to be run.

... looking through the output, I see the last two calls before execution seemingly stops:
Beginning DRAKVUF main loop
Started DRAkVUF polling loop ... then nothing, but the VM Guest seems fine (while using screen utility)

I press CTRL-C and then the guest VM is paused -- I find this to be typical when I run using the tee utility in this way.

BTW I can run drakvuf with all plugins disabled, but no output happens either.

1. the debug output seems to be wrong, or at least I do not know how to correctly disable plugins -- I am a little confused due to some of the capital letters in the names of the plugins, etc.
2. Why is drakvuf stopping, how can I fix the problem, what should I try?

[cvcachagua]

Some of my markups have been removed -- my fault.

previously received output:
''' inject..Shellcode.InitFail '''

and using a bash shell script used:
'''configure --enable-debug and --disable-plugin '''

[cvcachagua]

Looking at the configure output, I see all plugins, except syscalls is disabled -- looks like I did it correctly.

the received output from injection:
inject #.#.Shellcode.InitFail

[cvcachagua]

I can also get the vmi-process-list, so libvmi must be working.

[cvcachagua]

I want back to Debugging Drakvuf
https://github.com/tklengyel/drakvuf/wiki/Debugging-DRAKVUF

when run the output shows:
... all processes on CPU ...,
[PROCMON] TIME:1667588652.385067 PID:13782 PPID:13773 RunningProcess:"/usr/bin/pulseaudio"
1667588652.385343 [PROCMON] Method do_execveat_common not found. You are probably using an older kernel version below 5.9
1667588652.385354 Starting plugin procmon finished

..... My kernel is 5.15.0-41-generic, running Ubuntu 20.04.01, .....

Then there are a bunch of these lines:
Filetracer Callback : vfs_rename
1667588652.731881 Switching altp2m and to singlestep on vcpu 0
1667588652.732024 reset trap on vCPU 0, switching altp2m 0->1
1667588652.733525 Filetracer Callback : vfs_rename

.......There there is this:
1667588652.774788 Copied trapped page to new location
1667588652.774801 Activating remapped gfns in the altp2m views!
1667588652.774865 Trap added @ PA 0x362fecf8 RPA 0xff00bcf8 Page 221950 for do_filp_open.
1667588652.774882 Switching altp2m and to singlestep on vcpu 1
1667588652.774972 reset trap on vCPU 1, switching altp2m 0->1

..... then lines similar to this over and over:
1667588652.775048 Pre mem cb with vCPU 1 @ 0x362fecd8 in view 1: rw-
1667588652.775079 Switching to altp2m view 0 on vCPU 1 and waiting for post_mem cb
1667588652.775170 Post mem cb @ 0x362fecd8 vCPU 1 altp2m 0
1667588652.775186 Re-copying remapped gfn

The VM showed nothing in xl list state '-----'

If I run with no debug procmon output up to PID:1149 PPID: 1 RunningProcess:"/usr/libexec/ibus-x11"

The xl state then goes from 'r----' to '--p---' to '------' and drakvuf has no output past procmon.

....... I then tried to start up my VM with just 1CPU, and now I get data from drakvuf, but nothing is output.
the ps -aux stat value is: Rl, then Sl, then Rl, then Sl, ...etc., -- not sure what is going on there. the %CPU is 76.8 and the %Mem is 14.6, both values steady/unchanging. The VM xl stat has alternating values of {r,p,-} -- but the VM seems stuck, I gave the command $ whoami -- and there is just a blank line.

I would appreciate any help I can get.
Thanks in advance!!

[cvcachagua]

To be honest I have not gotten injection to run on my linux VM Guests -- currently my local version of drakvuf is 1e8078e

Are there injection tests being run on each build, and if so, do injection test cases exist that run on perhaps a test harness, test cases I can look at to see how I can perform injection on known good test cases? That would be a really big help. Perhaps on another git repo?

If things have changed in injection, I can git pull and re-insert my code and try again (with some effort), if things have been fixed.

Here is some code snips:
//---try 1
const char* arg[2];
arg[0] = "/usr/bin/sensors"; //This seems to be the args according to the path
//---try 2
//arg[0] = "/bin/bash"; //I dont think this works that way
//arg[1] = "/usr/bin/sensors"; //I dont think this works that way
retvalue = injector_start_app( drakvuf, (vmi_pid_t) info->proc_data.pid, (uint32_t) info->proc_data.tid,
(const char*) "/etc/xen/plugins/sensors-test-stdout/sensors", //app -- called file ??? WHAT IS THIS???
NULL, //cwd -- for WINDOWS ONLY -- NOT USED
(injection_method_t) 6, //method == exec
(output_format_t) 1, //output format type
(const char*) "/etc/xen/plugins/sensors-test-stdout/sensors", //binary path -- ONLY read_file or write_file (where output file will be injected to/from**???WHAT IS THIS???**)
//NULL, //binary path -- ONLY for read_file or write_file ???WHAT IS THIS??
NULL, //target process file -- WINDOWS ONLY
NULL, //break loop on detection -- WINDOWS ONLY
NULL, //injector to be freed -- WINDOWS ONLY
NULL, //global search -- WINDOWS ONLY
NULL, //wait for exit -- WINDOWS ONLY
1, //number of arguments for i<args, so i is array value, starts at 0 -- LINUX ONLY
arg, // args[] -- LINUX ONLY
NULL); //injected pid <--- is this the pid of the proc to be injected ???WHAT IS THIS???
//(vmi_pid_t*) getInjPid()); //or use the injected PID of the to be injected proc below*1

I have tried ExecFile, WriteFile, ReadFile -- I cannot get anything to work yet.
I get:
inject,1677702067.148137,WriteFile,InitFail -- exec
inject,1677703132.680280,WriteFile,InitFail -- exec
*** buffer overflow detected ***: terminated -- read

*1 When I try using the pid of the process to be injected, using exec, I get:
[SYSRET] TIME:1677775422.611072 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigprocmask UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:14 Ret:0 Info:
[SYSCALL] TIME:1677775422.611145 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":close UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:3 NArgs:1 Inlined:"False" fd:0x4
[SYSRET] TIME:1677775422.611301 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":close UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:3 Ret:159 Info:
[SYSCALL] TIME:1677775422.611374 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":read UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:0 NArgs:3 Inlined:"False" fd:0x3 buf:0x7FFF03942F0F count:0x1
[SYSRET] TIME:1677775422.611956 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":read UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:0 Ret:111 Info:
[SYSCALL] TIME:1677775422.612033 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":close UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:3 NArgs:1 Inlined:"False" fd:0x3
[SYSRET] TIME:1677775422.612191 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":close UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:3 Ret:127 Info:
[SYSCALL] TIME:1677775422.612271 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.613107 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:186 Info:
[SYSCALL] TIME:1677775422.613183 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.613263 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:133 Info:
[SYSCALL] TIME:1677775422.613618 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.613698 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:160 Info:
[SYSCALL] TIME:1677775422.613770 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.613919 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:28 Info:
[SYSCALL] TIME:1677775422.613996 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.614075 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:207 Info:
[SYSCALL] TIME:1677775422.614290 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.614415 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:12 Info:
[SYSCALL] TIME:1677775422.614487 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.614562 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:82 Info:
[SYSCALL] TIME:1677775422.614630 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.614703 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:92 Info:
[SYSCALL] TIME:1677775422.614771 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.614845 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:11 Info:
[SYSCALL] TIME:1677775422.614944 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.615024 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:143 Info:
[SYSCALL] TIME:1677775422.615094 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.615167 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:172 Info:
[SYSCALL] TIME:1677775422.615235 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"
[SYSRET] TIME:1677775422.615308 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 Ret:130 Info:
[SYSCALL] TIME:1677775422.615375 VCPU:0 CR3:0xCD80003 "/usr/bin/bash":rt_sigaction UID:1000 PID:997 PPID:983 Module:"linux" vCPU:0 CR3:0xCD80003 Syscall:13 NArgs:0 Inlined:"False"

all these rt_sigaction's look suspicious, like something is trying to run.
and then the state of the vm is 'p' in "xl list"

[tklengyel]

There are injection tests run on each PR but only targeting Windows. The Linux injection method was tested manually before it got merged but there is no test of it in the CI currently.

[cvcachagua]

I hacked into syscall plugin and searched for a process that I run on dom0, when I find that process, I run injection.
I tried write_file thinking that it should run, but doesn't.
I created a small text file: echo "from host" > ~/readme.txt ....in dom0
I extracted output via logging and here is what I got:

user1@xhf:~$ cat log-src-libinject-injector_utils.txt
src/libinjector/injector_utils.c print_injection_info(): method=====> WriteFile
src/libinjector/injector_utils.c print_injection_info(): case=====> INJECT_RESULT_PREMATURE:
src/libinjector/injector_utils.c print_injection_info(): case(format)=====> OUTPUT_CSV

user1@xhf:~$ cat log-src-libinjector-linux-linux_injector.c.txt
linux_injector.c injector_start_app_on_linux() --- read or write file ----- guest file=====> /home/user1/aaa
linux_injector.c injector_start_app_on_linux() --- read or write file ----- host file=====> /home/user1/readme.txt
linux_injector.c injector_start_app_on_linux() ----- init_injector succeeded! ===>
linux_injector.c static bool inject()===> Starting drakvuf loop
linux_injector.c static bool inject()===> Finished drakvuf loop
linux_injector.c static bool inject()===> injector->rc == INJECTOR_FAILED
linux_injector.c static bool inject()===> End of function inject()
linux_injector.c injector_start_app_on_linux() ----- inject failed===>
linux_injector.c injector_start_app_on_linux() ----- inject Premature===>

user1@xhf:~$ cat log-src-libinject-linux-methods-linux_write.txt
linux_write_file.c init_write_file_method()===> -----start-----
linux_write_file.c init_write_file_method()===> file is good
linux_write_file.c init_write_file_method()===> fseek is good
linux_write_file.c init_write_file_method()===> init_write_file_method() is good

Std Output:
FILETRACER] TIME:1678915246.738460 VCPU:0 CR3:0xF462003 "/usr/bin/bash":do_filp_open UID:1000 PID:997 PPID:957 Permissions:755 ThreadName:bash FileName:"/usr/lib/x86_64-linux-gnu/ld-2.31.so" Mode:MODE_S_IFREG
[FILETRACER] TIME:1678915246.739284 VCPU:0 CR3:0xF520004 "/usr/bin/ps":filp_close UID:1000 PID:997 PPID:957 Permissions:600 ThreadName:bash FileName:"/hvc0" Mode:MODE_S_IFCHR UID:1000 GID:5
[PROCMON] TIME:1678915246.740170 VCPU:0 CR3:0xF520004 "/usr/bin/bash":do_execveat_common UID:1000 PID:957 PPID:647 ThreadName:"bash" NewPid:997 NewTid:997 CommandLine:"ps" ImagePathName:"/usr/bin/ps" CWD:"/home/user1"
linux_ret_cb ----------- syscall=59 ----------inj_pid=-1 , pid=997
linux_ret_cb ----------- syscall=59 NOT LOCKED, now check path ----------
------------ execve executable=/usr/bin/ps , pathname=/usr/bin/ps=--------
---Found syscall==execve ret: procname=/usr/bin/ps==, num_args=0, fullpath=/usr/bin/ps== ---------
linux_ret_cb -----syscall=59 LOCKED, next do-work ----- inj_pid==997, w->pid=997, info->proc_data.pid=997
linux_ret_cb -----syscall=59 ---- TID Info ----- tid=997
^CSegmentation fault (core dumped)

On the VM I created an executable and compiled it for running on vm1, so I can run the injection command line
user1@vm1:~$ cat wait.c
#include <stdio.h>
#include <unistd.h>

int main() {
      pid_t mpid;
      mpid = getpid();
      printf("pid=%d\n", (int) mpid);
      sleep(9);
      return 0;
}
I then tried to run from the command line after execution of wait on vm1:
root@xhf:/home/user1/git/drakvuf# src/injector -r /root/vm1.json -d 4 -e /home/user1/readme.txt -B /home/user1/aaa -m writefile -i 1070
DRAKVUF src/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Injector starting /home/user1/readme.txt through PID 1070 TID: 0
Could not open (/home/user1/aaa) for writing: No such file or directory
[INJECT] TIME:1678919089.498577 METHOD:WriteFile STATUS:InitFail
Process startup failed

I then created an empty file echo "" > ~/aaa ....in domN (vm1)

root@xhf:/home/user1/git/drakvuf# src/injector -r /root/vm1.json -d 4 -e /home/user1/readme.txt -B /home/user1/aaa -m writefile -i 1097
DRAKVUF src/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Injector starting /home/user1/readme.txt through PID 1097 TID: 0
Could not open (/home/user1/aaa) for writing: No such file or directory
[INJECT] TIME:1678919207.248884 METHOD:WriteFile STATUS:InitFail
Process startup failed

I then made the file ugo+rw ~/aaa ....in domN (vm1)

root@xhf:/home/user1/git/drakvuf# src/injector -r /root/vm1.json -d 4 -e /home/user1/aaa -B /home/user1/readme.txt -m writefile -i 1099
DRAKVUF src/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Injector starting /home/user1/aaa through PID 1099 TID: 0
[INJECT] TIME:1678919318.456197 METHOD:WriteFile STATUS:PrematureBreak
Segmentation fault (core dumped)

root@xhf:/home/user1/git/drakvuf# xl list
Name ID Mem VCPUs  State Time(s)
Domain-0 0 8136 1 r----- 2359.9
vm1 5 1008 1 -b---- 13.8
root@xhf:/home/user1/git/drakvuf# src/injector -r /root/vm1.json -d 5 -e /home/user1/readme.txt -B /home/user1/aaa -m writefile -i 970
DRAKVUF src/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Injector starting /home/user1/readme.txt through PID 970 TID: 0
Could not open (/home/user1/aaa) for writing: No such file or directory
[INJECT] TIME:1678920100.512565 METHOD:WriteFile STATUS:InitFail
Process startup failed

I then created an empty file echo "" > ~/readme.txt

root@xhf:/home/user1/git/drakvuf# src/injector -r /root/vm1.json -d 5 -e /home/user1/readme.txt -B /home/user1/readme.txt -m writefile -i 974
DRAKVUF src/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Injector starting /home/user1/readme.txt through PID 974 TID: 0
[INJECT] TIME:1678920212.639852 METHOD:WriteFile STATUS:PrematureBreak
Segmentation fault (core dumped)

...... I have not gotten injection to work on linux. Am I doing something wrong, or is injection broken?

[cvcachagua]

I ran in debug mode:
$ cd ~/git/drakvuf
$ meson reconfigure --buildtype=debug ./build
$ ninja -C ./build

But there was no output that was additional -- A nice to have feature for the command line (src/injector) is for a debug verbose mode (if it is possible and makes sense).

I also performed a pull today, just a few minutes ago, as I saw work being performed on injection yesterday (really thankful!!), but the version I pulled did not work yet.

[tklengyel]

Compiling with debug target makes the -v input available, that's what you need to use to get the debug output. But for the segfaults it actually would be more useful if you could run it through gdb and get us a stack backtrace from the segfault.

[cvcachagua]

for some reason I did not get -v to work:

cd git/drakvuf/

root@xhf:/home/cdprince/git/drakvuf# src/injector -r /root/vm1.json -d 1 -e /home/user1/readme.txt -B /home/user1/aaa -m writefile -v -i 1009
DRAKVUF src/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Unrecognized option: v
root@xhf:/home/cdprince/git/drakvuf# src/injector
DRAKVUF src/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Required input:
-r The OS kernel's JSON
-d The domain's ID or name
-i The PID(WIN) | TGID(LINUX) of the process to hijack for injection
-e <inject_file> File to be injected:
for -m createproc/shellexec/shellcode/doppelganging: the executable to start with injection
for -m readfile/writefile: the guest path of the file to be read/written
Optional inputs:
-l Use libvmi.conf
-k Use provided KPGD value for faster and more robust startup (advanced)
-m <inject_method> The injection method
[WIN]
createproc (32 and 64-bit) - Spawn a windows process using CreateProcessW ( use -e for specifying the program )
shellexec (32 and 64-bit) - Spawn a process using ShellExecute ( use -e for specifying the program )
shellcode (Win10) (64bit)
[LINUX] (64 bit support only)
shellcode - Execute shellcode binary ( use -e for specifying the shellcode binary )
execproc - Run any process using vfork and execve ( -e for specifying the program, -f for args )
[BOTH] (WIN - 32-bit untested and 64-bit, LINUX - 64-bit only)
readfile - pull a file (specified by guest path -e) from the VM and store it on host path specified by -B
writefile - push a file (specified by host path -B) to the VM and store it on guest path specified by -e
-f [LINUX] - Arguments specified for exec to include (requires -m execproc)
[LINUX] (execproc -> execve(const char *file, const char argv[], const char envp[]); 64bit only)
[-B] The host path of the binary:
for -m readfile: where to store the file read out from VM
for -m writefile: to write into the guest VM
[-P] The guest path of the clean guest process to use as a cover (requires -m doppelganging)
-I The ThreadID in the process to hijack for injection (requires -i) (LINUX: Injects to TGID Thread if ThreadID not specified)
-c <current_working_dir> The current working directory for injected executable
-w Inject process and wait until it terminates (requires -m createproc)
--timeout
Injection timeout (in seconds, default: 0 == no timeout)

BTW -- I no longer get the Segmentation fault

[tklengyel]

If -v doesn't work it means the binary wasn't compiled with debug mode enabled.

[cvcachagua]

xhf:/git/drakvuf$ meson configure --buildtype=debug ./build
xhf:/git/drakvuf$ ninja -C ./build
ninja: Entering directory `./build'
[0/1] Regenerating build files.
The Meson build system
Version: 0.53.2
Source dir: /home/cdprince/git/drakvuf
Build dir: /home/cdprince/git/drakvuf/build
Build type: native build
Project name: DRAKVUF (C) Tamas K Lengyel 2014-2023
Project version: 1.1
C compiler for the host machine: clang (clang 10.0.0-4ubuntu1 "clang version 10.0.0-4ubuntu1 ")
C linker for the host machine: clang ld.bfd 2.34
C++ compiler for the host machine: clang++ (clang 10.0.0-4ubuntu1 "clang version 10.0.0-4ubuntu1 ")
C++ linker for the host machine: clang++ ld.bfd 2.34
Host machine cpu family: x86_64
Host machine cpu: x86_64
Dependency glib-2.0 found: YES 2.64.6 (cached)
Dependency libvmi found: YES 0:15:0 (cached)
Dependency json-c found: YES 0.13.1 (cached)
Dependency xencontrol found: YES 4.17.0 (cached)
Dependency xenlight found: YES 4.17.0 (cached)
Dependency xenforeignmemory found: YES 1.4 (cached)
Dependency xentoollog found: YES 1.0 (cached)
Library dl found: YES
Dependency threads found: YES unknown (cached)
Configuring config.h using configuration
Build targets in project: 9

DRAKVUF (C) Tamas K Lengyel 2014-2023 1.1

Version
Build: 1.1-9e3da33

Plugins (-Dplugin-)
syscalls: True
poolmon: True
apimon: True
bsodmon: True
callbackmon: True
clipboardmon: True
codemon: True
cpuidmon: True
crashmon: True
debugmon: True
delaymon: True
dkommon: True
envmon: True
exmon: True
exploitmon: True
fileextractor: True
filetracer: True
hidsim: True
librarymon: True
memdump: True
objmon: True
rootkitmon: True
spraymon: True
hidevm: True
ptracemon: True
ebpfmon: True
memaccessmon: True
unixsocketmon: True
etwmon: True
ipt: True
rebootmon: True
linkmon: True

Deprecated plugins
filedelete: False

Configuration
buildtype: debug
Hardening: True
XTF: False
REPL: False
IPT: True

Install path
prefix/bindir: /usr/local/bin

Option buildtype is: debug [default: release]
Found ninja-1.10.0 at /usr/bin/ninja
ninja: no work to do.

I did not see that the install path was /usr/local/bin/
root@xhf:/home/cdprince/git/drakvuf# /usr/local/bin/injector -v -r /root/vm1.json -d 1 -e /etc/xen/plugins/WRITEFILE/output.txt -B /home/cdprince/output.txt -m writefile -i 1096
DRAKVUF /usr/local/bin/injector v1.1-git20230216105212+1e8078e-1 Copyright (C) 2014-2023 Tamas K Lengyel
Unrecognized option: v

[cvcachagua]

The program stops, I was using gdb

Seems that injection is stuck in poll
Thread 1 "drakvuf" received signal SIGINT, Interrupt.
0x00007ffff79e199f in __GI___poll (fds=0x5555558c74c0, nfds=1, timeout=1000) at ../sysdeps/unix/sysv/linux/poll.c:29
29 ../sysdeps/unix/sysv/linux/poll.c: No such file or directory.
(gdb)
(gdb)
(gdb) bt
#0 0x00007ffff79e199f in __GI___poll (fds=0x5555558c74c0, nfds=1, timeout=1000) at ../sysdeps/unix/sysv/linux/poll.c:29
#1 0x00005555556212b5 in drakvuf_poll (drakvuf=0x5555558bb6f0, timeout=1000) at ../src/libdrakvuf/vmi.c:1774
#2 0x00005555556211ea in drakvuf_loop (drakvuf=0x5555558bb6f0, is_interrupted=0x55555576a980 <is_interrupted>, data=0x0) at ../src/libdrakvuf/vmi.c:1810
#3 0x000055555576a0cd in inject (drakvuf=0x5555558bb6f0, injector=0x55557f679490) at ../src/libinjector/linux/linux_injector.c:398
#4 injector_start_app_on_linux (drakvuf=0x5555558bb6f0, pid=, tid=, file=, method=, format=OUTPUT_CSV, binary_path=0x5555557b91c1 "/etc/xen/plugins/sensors-test-stdout/sensors", args_count=1,
args=0x7fffffffcb90, injected_pid=0x55555587c090 <inj_pid>) at ../src/libinjector/linux/linux_injector.c:518
#5 0x000055555576118e in injector_start_app (drakvuf=0x5555558bb6f0, pid=1080, tid=1080, app=0x55557f622720 "/home/cdprince/wait", cwd=, method=INJECT_METHOD_EXECPROC, format=, binary_path=, target_process=,
break_loop_on_detection=, injector_to_be_freed=, global_search=, wait_for_exit=, args_count=, args=, injected_pid=) at ../src/libinjector/injector.c:150
#6 0x0000555555655378 in linux_syscalls::linux_cb (this=0x5555558ca240, drakvuf=, info=) at ../src/plugins/syscalls/linux.cpp:547
#7 0x000055555565aeb0 in std::__invoke_impl<unsigned int, unsigned int (linux_syscalls::* const&)(drakvuf*, drakvuf_trap_info*), linux_syscalls*, drakvuf*&, drakvuf_trap_info*&> (__f=, __t=, __args=, __args=)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:73
#8 std::__invoke<unsigned int (linux_syscalls::* const&)(drakvuf*, drakvuf_trap_info*), linux_syscalls*, drakvuf*&, drakvuf_trap_info*&> (__fn=, __args=, __args=, __args=)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/invoke.h:95
#9 std::invoke<unsigned int (linux_syscalls::* const&)(drakvuf*, drakvuf_trap_info*), linux_syscalls*, drakvuf*&, drakvuf_trap_info*&> (__fn=, __args=, __args=, __args=)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/functional:81
#10 ZZN8pluginex14wrap_plugin_cbIM14linux_syscallsFjP7drakvufP17drakvuf_trap_infoEEESt8functionIFjS3_S5_EET_ENKUlDpOT_E_clIJS3_S5_EEEjSE (this=, args=, args=) at ../src/plugins/../plugins/plugins_ex.h:690
#11 ZNSt17_Function_handlerIFjP7drakvufP17drakvuf_trap_infoEZN8pluginex14wrap_plugin_cbIM14linux_syscallsFjS1_S3_EEESt8functionIS4_ET_EUlDpOT_E_E9_M_invokeERKSt9_Any_dataOS1_OS3 (__functor=..., __args=, __args=)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:285
#12 0x0000555555751db3 in std::function<unsigned int (drakvuf*, drakvuf_trap_info*)>::operator()(drakvuf*, drakvuf_trap_info*) const (this=0x7ffff79e19ef, __args=0x7fffffffd0b8, __args=0x7fffffffd0b8)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/std_function.h:688
#13 libhook::SyscallHook::createLinuxTrap(drakvuf*, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, unsigned long)::$_3::operator()(drakvuf*, drakvuf_trap_info*) const (this=, drakvuf=,
info=0x7fffffffd0b8) at ../src/libhook/hooks/syscall.cpp:190
#14 libhook::SyscallHook::createLinuxTrap(drakvuf*, std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, unsigned long)::$_3::__invoke(drakvuf*, drakvuf_trap_info*) (drakvuf=0x5555558bb6f0, info=0x7fffffffd0b8)
at ../src/libhook/hooks/syscall.cpp:188
#15 0x0000555555622716 in _int3_cb (drakvuf=0x5555558bb6f0, event=) at ../src/libdrakvuf/vmi.c:717
#16 int3_cb (vmi=, event=0x5555558bba48) at ../src/libdrakvuf/vmi.c:795
#17 0x00007ffff7e5cafd in process_software_breakpoint (vmi=0x5555558c7540, vmec=0x7fffffffd1f0) at libvmi/driver/xen/xen_events.c:720
#18 0x00007ffff7e5af9b in process_requests_7 (vmi=0x5555558c7540, requests_processed=0x7fffffffd4b0) at libvmi/driver/xen/xen_events.c:3080
#19 0x00007ffff7e5c0da in xen_events_listen (vmi=0x5555558c7540, timeout=) at libvmi/driver/xen/xen_events.c:3322
#20 0x0000555555621086 in drakvuf_vmi_event_callback (fd=, data=0x5555558bb6f0) at ../src/libdrakvuf/vmi.c:1764
#21 0x0000555555621343 in drakvuf_poll (drakvuf=0x5555558bb6f0, timeout=) at ../src/libdrakvuf/vmi.c:1797
#22 0x00005555556211ea in drakvuf_loop (drakvuf=0x5555558bb6f0, is_interrupted=0x55555561b290 <is_interrupted(drakvuf*, void*)>, data=0x0) at ../src/libdrakvuf/vmi.c:1810
#23 0x000055555561b226 in drakvuf_c::loop (this=0x5555558bb6b0, duration=) at ../src/drakvuf.cpp:284
#24 0x000055555561970c in main (argc=, argv=) at ../src/main.cpp:1147

[cvcachagua]

I tried version:
git reset --hard 8cca41e
HEAD is now at 8cca41e [Linux] add execve method (#1300)
Built with:
git clean -xdf
git reset --hard
./autogen.sh
./autoreconf -vi --- added, otherwise make would not work
./configure --enable-debug
make
When I ran:
root@xhf:/home/user1/git/drakvuf# src/injector -r /root/vm1.json -d 4 -e /etc/xen/plugins/sensors-test-stdout/sensors -f "" -m execproc -i 1113
DRAKVUF src/injector v0.8-git20210921080219+8cca41e-1 Copyright (C) 2014-2021 Tamas K Lengyel
Injector starting /etc/xen/plugins/sensors-test-stdout/sensors through PID 1113 TID: 1113
Failed to trap trapframe return address
^CProcess startup success
CTRL-C after the user run process finished -- then the output "Process startup success" was output.
The first time I ran I saw the message "Failed to trap trapframe return address", but the other 4 times the message did not output.

I rebuilt libvmi
cd git/drakvuf/
cd libvmi/
autoreconf -vif
./configure --disable-kvm --disable-bareflank --disable-file
make
sudo make install
ls /usr/local/bin/

?Could the problem be the Xen version does not match?

Or perhaps I need a test case?

[cvcachagua]

I also ran like:
root@xhf:/home/cdprince/git/drakvuf# src/injector -r /root/vm1.json -d 4 -e /etc/xen/plugins/sensors-test-stdout/sensors -f "/home/cdprince/wait" -m execproc -i 2344
DRAKVUF src/injector v0.8-git20210921080219+8cca41e-1 Copyright (C) 2014-2021 Tamas K Lengyel
Injector starting /etc/xen/plugins/sensors-test-stdout/sensors through PID 2344 TID: 2344
^CProcess startup success
Note: CTRL-C after the user run process finished -- then the output "Process startup success" was output.