Skip to main content

GuestPlugin

malbox_plugin_sdk::plugin::guest

Trait GuestPlugin 

Source 
pub trait GuestPlugin: Plugin {
    // Required methods
    fn on_start(&self, ctx: &Context) -> Result<()>;
    fn on_stop(&self, ctx: &Context) -> Result<()>;

    // Provided method
    fn execute_sample(&self, sample_path: &Path) -> Result<LaunchResult> { ... }
}
Expand description

Trait for malbox guest plugins that run inside an ephemeral VM.

The SDK owns the lifecycle sequence:

  1. on_start - plugin sets up monitoring, receives context
  2. execute_sample - SDK calls this to launch the sample (default: platform launcher)
  3. SDK waits for analysis timeout
  4. on_stop - plugin flushes results and tears down

Required Methods§

Source

fn on_start(&self, ctx: &Context) -> Result<()>

Called when the analysis task begins. Set up monitoring infrastructure (ETW sessions, decoders, sinks, etc.) and return when ready to capture.

The SDK guarantees execute_sample will not be called until this returns.

Source

fn on_stop(&self, ctx: &Context) -> Result<()>

Called when the analysis timeout expires or the daemon signals shutdown. Flush all buffered results via [Context::results().push()] and tear down.

Provided Methods§

Source

fn execute_sample(&self, sample_path: &Path) -> Result<LaunchResult>

Launch the sample at the given path. Called by the SDK after on_start.

The default implementation uses the platform’s process creation API. Override for non-EXE scenarios (DLL loading, COM dispatch, etc.).

Implementors§