pyplugins.interventions.mount module¶

Mount Tracker Plugin¶

This module provides a passive tracker for mount attempts within a guest environment. It is intended for use with the Penguin analysis framework and is implemented as a plugin.

Purpose¶

Tracks when the guest tries to mount filesystems.
Records unsupported filesystem types (e.g., when mount returns EINVAL) to inform kernel support decisions.
Logs attempts to mount missing devices.
Can optionally fake mount successes for specific targets or all mounts, aiding in analysis and mitigation.

Usage¶

The plugin can be configured with the following arguments: - outdir: Output directory for logs. - fake_mounts: List of mount targets to fake as successful. - all_succeed: If set, all mount attempts are faked as successful. - verbose: Enables debug logging.

Example¶

All mount attempts are logged to mounts.csv in the specified output directory.

class pyplugins.interventions.mount.MountTracker[source]¶

Bases: Plugin

MountTracker Plugin¶

Tracks and logs mount attempts in the guest.

Attributes¶

outdirstr: Output directory for logs.
mountsset of tuple: Set of (source, target, fs_type) tuples already logged.
fake_mountslist of str: List of mount targets to fake as successful.
all_succeedbool: If True, all mount attempts are faked as successful.

Behavior¶

Subscribes to exec events to detect /bin/mount invocations.
Hooks the mount syscall return to log and optionally fake mount results.

find_mount(event)[source]¶

Detects /bin/mount invocations from exec events and logs them.

Parameters¶

eventdict: Exec event dictionary, expected to have ‘procname’ and ‘argv’ keys.

Returns¶

None

Parameters:: event (dict)
Return type:: None

log_mount(retval, results)[source]¶

Logs a mount attempt to the output CSV file if not already logged.

Parameters¶

retvalint: Return value of the mount syscall or -1 for exec events.
resultsdict: Dictionary with keys ‘source’, ‘target’, ‘fs_type’.

Returns¶

None

Parameters:

retval (int)
results (dict)

Return type:

None

post_mount(regs, proto, syscall, source, target, fs_type, flags, data)[source]¶

Coroutine callback for the mount syscall return.

Reads the mount arguments from memory, logs the attempt, and optionally fakes the result.

Parameters¶

regsobject: Register state
protoobject: Protocol context (opaque, framework-specific)
syscallobject: Syscall context, with .retval for return value
sourceint: Pointer to source device string
targetint: Pointer to mount target string
fs_typeint: Pointer to filesystem type string
flagsint: Mount flags
dataint: Pointer to mount data

Returns¶

None