Consider returning syscall arguments inside a dictionary referenced by an "Arguments" key (similar to apimon plugin) #1796
Comments
yelhamer
changed the title
|
Patches are always welcome |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I am currently working on parsing the output of Drakvuf (as part of the Drakvuf Sandbox), and I think it would be very useful if the syscall arguments would be returned in the same manner as the apimon plugin does, i.e., within a dict referenced by an "Arguments" key. For example
{"Plugin": "syscall", "TimeStamp": "1716999134.580389", "PID": 3888, "PPID": 2852, "TID": 368, "UserName": "SessionID", "UserId": 2, "ProcessName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "Method": "NtRemoveIoCompletionEx", "EventUID": "0x17", "Module": "nt", "vCPU": 0, "CR3": "0x119b1002", "Syscall": 369, "NArgs": 6, "Arguments": {"IoCompletionHandle": "0xffffffff80001ac0", "IoCompletionInformation": "0xfffff506a0284040", "Count": "0x1", "NumEntriesRemoved": "0xfffff506a0284070", "Timeout": "0xfffff506a0284078", "Alertable": "0x0"}}This would make modeling syscall entries using libraries such as Pydantic and msgpack much easier and more efficient, and would make integration with other tools (such as capa, which is what I am integrating Drakvuf with currently) much easier.
If the devs agree to this, I can also try to implement this suggestion myself.
Thanks!
The text was updated successfully, but these errors were encountered: