pyplugins.loggers.syscalls_logger module

Syscalls Logger Plugin

This plugin records system call events to the penguin database. It parses Linux error codes from header files, maps error numbers to names and explanations, and logs detailed syscall information including arguments, return values, and process context.

Purpose

  • Monitors all system call return events and execve/execveat entries in the guest.

  • Records syscall arguments, return values, and error codes with explanations.

  • Enables later analysis of system call activity and process behavior.

Usage

from pyplugins.loggers.syscalls_logger import PyPandaSysLog

syscalls_logger = PyPandaSysLog(panda)
# Syscall events will be logged automatically.

This plugin is loaded automatically as part of the penguin plugin system. It requires the syscalls, mem, portal, and osi plugins to be active.

The plugin extracts relevant fields and stores them in the database using the Syscall event type.

Arguments

  • outdir: Output directory for the SQLite database file.

  • procs: Optional list of process names to filter syscall logging. If not provided, all processes are logged.

class pyplugins.loggers.syscalls_logger.PyPandaSysLog(panda)[source]

Bases: Plugin

Plugin for logging system call events to the database.

Hooks into system call return and execve/execveat entry events and records them as Syscall events.

all_sys_ret(regs, proto, syscall)[source]

Callback for handling all syscall return events.

Parameters: - regs: Register/context object. - proto: Syscall prototype. - syscall: Syscall object.

Yields from handle_syscall to log the syscall event, except for execve.

Returns: None

Return type:

None

cstr(x)[source]
Return type:

str

disable()[source]
enable(args={})[source]
get_syscall_processors(proto)[source]

Returns cached list of: (arg_name, handler_func, is_gen, extra_data)

handle_syscall(regs, proto, syscall)[source]

Handle and log a syscall event.

Parameters: - regs: Register/context object. - proto: Syscall prototype. - syscall: Syscall object.

Extracts arguments, formats them, determines return value and error code, and logs the event to the database.

Returns: None

Return type:

None

sys_record_enter(regs, proto, syscall, *args)[source]
Return type:

None