pyplugins.loggers.rw_logger module

Read/Write Logger Plugin

This plugin records read and write system call events to the penguin database. It hooks into the system call return events for read and write, extracts relevant details such as file descriptor, buffer content, and process name, and stores them as Read and Write events in the database.

Purpose

• Monitors file descriptor read and write operations in the guest.

• Records buffer contents, file descriptor names, and process names for each event.

• Enables later analysis of file I/O activity and data flow.

Usage

Simply add this plugin by name to your config.

The plugin extracts relevant fields and stores them in the database using the Read and Write event types.

class pyplugins.loggers.rw_logger.RWLog

Bases: Plugin

Plugin for logging read and write system call events to the database.

Hooks into system call return events and records them as Read and Write events.

disable()

enable()

read(regs, proto, syscall, fd, buf, count)

Callback for handling read syscall return events.

Parameters: - proto: Protocol or plugin-specific context. - syscall: Syscall number or identifier. - fd: File descriptor being read from. - buf: Buffer address containing data read. - count: Number of bytes read.

Reads the buffer content, resolves the file descriptor name and process name, and records the event in the database as a Read event.

Returns: None

Return type:

None

write(regs, proto, syscall, fd, buf, count)

Callback for handling write syscall return events.

Parameters: - regs: CPU registers at the time of the syscall. - proto: Protocol or plugin-specific context. - syscall: Syscall number or identifier. - fd: File descriptor being written to. - buf: Buffer address containing data written. - count: Number of bytes written.

Reads the buffer content, resolves the file descriptor name and process name, and records the event in the database as a Write event.

Returns: None

Return type:

None