#!/usr/bin/env python3 """Extract tid=6 kernel call sequence from canary-jitter-1.jsonl in install window. Install window: host_ns in [9_000_000_000, 11_000_000_000] (9s..11s). Per AUDIT-068 S3: vtable install at ~9.4-9.6s, sub_825070F0 spawn at 10.383s. Outputs are written next to this script. """ import json import os import sys from collections import Counter INPUT = "/home/fabi/RE - Project Sylpheed/xenia-canary/build-cross/bin/Windows/Debug/canary-jitter-1.jsonl" OUTDIR = os.path.dirname(os.path.abspath(__file__)) T_LO = 9_000_000_000 T_HI = 11_000_000_000 TARGET_TIDS = {6} import_calls = [] kernel_calls = [] kernel_returns = [] handle_creates = [] thread_events = [] mem_events = [] other_events = [] count_in_window = 0 count_total = 0 with open(INPUT, "r") as f: for line in f: count_total += 1 if '"host_ns":' not in line: continue try: i = line.index('"host_ns":') + len('"host_ns":') j = i while j < len(line) and (line[j].isdigit() or line[j] == '-'): j += 1 host_ns = int(line[i:j]) except (ValueError, IndexError): continue if host_ns < T_LO: continue if host_ns >= T_HI: break try: ev = json.loads(line) except json.JSONDecodeError: continue if ev.get("tid") not in TARGET_TIDS: continue count_in_window += 1 kind = ev.get("kind", "") if kind == "import.call": import_calls.append(ev) elif kind == "kernel.call": kernel_calls.append(ev) elif kind == "kernel.return": kernel_returns.append(ev) elif kind == "handle.create": handle_creates.append(ev) elif kind in ("thread.create", "thread.exit"): thread_events.append(ev) elif kind in ("mem.write", "mem.read"): mem_events.append(ev) else: other_events.append(ev) print(f"Total lines scanned: {count_total}") print(f"Events in window for tid in {TARGET_TIDS}: {count_in_window}") print(f" import.call: {len(import_calls)}") print(f" kernel.call: {len(kernel_calls)}") print(f" kernel.return: {len(kernel_returns)}") print(f" handle.create: {len(handle_creates)}") print(f" thread.create/exit: {len(thread_events)}") print(f" mem.read/write: {len(mem_events)}") print(f" other: {len(other_events)}") with open(os.path.join(OUTDIR, "canary-tid6-install-window.csv"), "w") as f: f.write("host_ns,tid_event_idx,kind,name,raw_handle,detail\n") all_evts = [] for ev in kernel_calls: name = ev["payload"].get("name", "?") detail = json.dumps(ev["payload"].get("args_resolved") or ev["payload"].get("args", {}))[:200] all_evts.append((ev["host_ns"], ev["tid_event_idx"], "kernel.call", name, "", detail)) for ev in kernel_returns: name = ev["payload"].get("name", "?") rv = ev["payload"].get("return_value", "") st = ev["payload"].get("status", "") detail = f"rv={rv} status={st}" all_evts.append((ev["host_ns"], ev["tid_event_idx"], "kernel.return", name, "", detail)) for ev in handle_creates: rh = ev["payload"].get("raw_handle_id", "") ot = ev["payload"].get("object_type", "") detail = f"object_type={ot}" all_evts.append((ev["host_ns"], ev["tid_event_idx"], "handle.create", "", rh, detail)) for ev in thread_events: detail = json.dumps(ev["payload"])[:200] all_evts.append((ev["host_ns"], ev["tid_event_idx"], ev["kind"], "", "", detail)) all_evts.sort() for ev in all_evts: host_ns, idx, kind, name, rh, detail = ev detail_escaped = detail.replace('"', '""') f.write(f'{host_ns},{idx},{kind},{name},{rh},"{detail_escaped}"\n') print(f"Wrote canary-tid6-install-window.csv with {len(all_evts)} ordered events.") call_counts = Counter() for ev in kernel_calls: call_counts[ev["payload"].get("name", "?")] += 1 with open(os.path.join(OUTDIR, "canary-tid6-install-window.summary"), "w") as f: f.write(f"Canary tid=6 install-window event summary [host_ns {T_LO}..{T_HI}]\n") f.write(f"\n=== Top kernel.call by frequency ===\n") for name, c in call_counts.most_common(80): f.write(f" {c:6d} {name}\n") f.write(f"\n=== Unique kernel.call names ===\n") f.write(f" {len(call_counts)}\n") print(f"Wrote canary-tid6-install-window.summary")