-
Notifications
You must be signed in to change notification settings - Fork 394
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(events): create access_remote_vm event
An event for accessing the memroy of a process externally (can be the same process) by the mem file of the process in procfs. Co-authored-by: OriGlassman <39296766+origlassman@users.noreply.github.com>
- Loading branch information
1 parent
02dad67
commit 0794743
Showing
9 changed files
with
258 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# access_remote_vm | ||
|
||
## Intro | ||
access_remote_vm - gain access to the virtual memory of a separate process through the use of the procfs mem file. | ||
|
||
## Description | ||
This event marks access attempt of a process to the virtual memory of another process using the procfs mem file associated with that specific process (/proc/<pid>/mem). | ||
It is a more elaborated event than the `security_file_open` of the mem file. | ||
|
||
## Arguments | ||
* `remote_pid`: `int`[K] - PID of the process the memory area belongs to. | ||
* `start_address`: `void *`[K] - Start address of the operation. | ||
* `gup_flags`: `unsigned int`[K] - Flags for get_user_pages operation. | ||
* `vm_flags`: `unsigned long`[K] - Virtual memory flags. | ||
* `mapped.path`: `const char*`[K] - Path of the mapped file, or the name of memory area if no file is mapped. | ||
* `mapped.device_id`: `dev_t`[K,OPT] - Device ID of the mapped file. | ||
* `mapped.inode_number`: `unsigned long`[K,OPT] - Inode number of the mapped file. | ||
* `mapped.ctime`: `unsigned long`[K,OPT] - Creation time of the mapped file. | ||
|
||
## Hooks | ||
### get_user_pages_remote | ||
#### Type | ||
kprobe + kretprobe | ||
#### Purpose | ||
The main function that implements the access to the virtual memory area of the other process. | ||
|
||
### generic_access_phys | ||
#### Type | ||
kprobe | ||
#### Purpose | ||
A fallback function, implementing the `access` method of the `vma_operations` struct for most of the vmas. It is used to access special memory areas. | ||
|
||
## Related Events | ||
`security_file_open`,`security_mmap_file`,`vfs_write`,`vfs_writev`,`vfs_read`,`vfs_readv` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters