grey_fox icon indicating copy to clipboard operation
grey_fox copied to clipboard

Published 20 hours ago verified publisher icon vivami

Absence of data in logs file

Open StrangerZ opened this issue 7 years ago • 7 comments

Good evening to you, Vincent!

I did exactly as you said and, finally, got .kext-file installed in my VMware virtual machine (OS X 10.7.4). I also defined a file for serial port in VMware Fusion in Documents folder.

For now, the problem is that I don't get any data in the logfile even though I perform some activity in virtual machine. What i tried: opening Safari and web surfing, running ping command from Terminal.app, opening Activity Monitor and killing iTunes process.

What am I doing wrong? How can I collect the data? grey_fox is installed and turned on with run_greyfox.sh from the Extensions folder.

Best regards, Nick.

StrangerZ avatar Dec 14 '17 10:12 StrangerZ

Can you take a look at the [GREY FOX] logs in Console.app? There should also be some OS specific logging in the serial output. If this is not the case, something is wrong with your serial port configuration.

vivami avatar Dec 14 '17 11:12 vivami

If we are speaking about Console.app in the sandbox virtual machine, I can see this: screen shot 2017-12-14 at 14 24 44 screen shot 2017-12-14 at 14 25 12 It is still not clear whose syscalls grey_fox hooks. Is it possible to collect the data only for some special program?

StrangerZ avatar Dec 14 '17 11:12 StrangerZ

All the syscalls seem to hook correctly. Can you show the output of the serial port?

vivami avatar Dec 14 '17 13:12 vivami

So this is the screen of VMware Fusion with the serial port connected screen shot 2017-12-14 at 16 52 05

Here we see that the serial port output is defined in file "greyFoxLogFile" in Documents folder screen shot 2017-12-14 at 16 52 17

And this is the content of the log file screen shot 2017-12-14 at 16 51 14 I see these strings even though I perform actions described above. As we found out, hooks are displayed correctly in Console.app, but the log file is not being appended at all.

StrangerZ avatar Dec 14 '17 13:12 StrangerZ

OK, that's weird. You can try to use printf instead of kprintf which will log to Console.app instead of a serial port.

vivami avatar Dec 15 '17 18:12 vivami

But in the third comment, as you can see, I get some kind of messages from the grey_fox driver in my sandbox virtual machine's Console.app (so, probably, kprintf works fine). The problem is that I can't get the same messages in the log file on the main machine even though I set up the serial port correctly.

Furthermore, it is a bit unclear which hooks do we get in Console.app. How to distinguish them? I need to acquire list of system calls of one special app - is it possible to get it with grey_fox?

Thanks for a fast reply in advance, vivami.

[UPDATE]: I've just found out that the driver does not react to the system calls made by any process in the system. At least I see no GREY FOX messages in Console.app but for the first ones (as you saw in the third comment)

StrangerZ avatar Dec 15 '17 23:12 StrangerZ

You should replace kprintf on 209 and 237 with printf and compile again. All the logs will then show up on Console.app. kprintf only outputs to serial port (which apparently doesn't work for you). You should be able to see with process performs which calls.

vivami avatar Dec 18 '17 14:12 vivami