-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
edriver-rust: adding process impl with maps
- Loading branch information
1 parent
a5f18ec
commit 20d9215
Showing
17 changed files
with
172 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,5 @@ | ||
// #include "include/hades_exec.h" | ||
// #include "include/hades_net.h" | ||
// #include "include/hades_privilege.h" | ||
// #include "include/hades_rootkit.h" | ||
// #include "include/hades_file.h" | ||
// #include "include/hades_uprobe.h" | ||
// #include "include/hades_honeypot.h" | ||
|
||
#include "common/edriver.h" | ||
// #include "common/rasp/java.h" | ||
|
||
__u32 _version SEC("version") = 0xFFFFFFFE; | ||
char LICENSE[] SEC("license") = "GPL"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
use super::{parse_sinfo, parse_str, parse_u16, parse_u32, Event}; | ||
use crate::process::*; | ||
use anyhow::Result; | ||
|
||
pub struct RaspJava {} | ||
|
||
struct JavaInstance {} | ||
|
||
// impl Event for RaspJava { | ||
// // fn init() -> Result<()> { | ||
|
||
// // } | ||
// } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
pub mod bpfmgr; | ||
pub mod cache; | ||
pub mod events; | ||
pub mod process; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
use anyhow::{bail, Result}; | ||
use bitflags::bitflags; | ||
use std::fs::read_to_string; | ||
|
||
type PermFlag = u8; | ||
|
||
/// Process is the trait to inspect system running process | ||
pub trait Process { | ||
/// Return the process identifier | ||
fn pid() -> u32; | ||
} | ||
|
||
/// Information about the process memory mapping | ||
#[derive(Default, Debug)] | ||
pub struct Mapping { | ||
/// Start address for virtual memory | ||
pub vaddr_start: u64, | ||
/// End address for virual memory | ||
vaddr_end: u64, | ||
/// Permissions of the page. 'p' flag means private | ||
perm: PermFlag, | ||
/// Offset for the mapping begins. | ||
offset: u64, | ||
/// Device is the major and minor device number (in hex) where the file lives. | ||
device_id: String, | ||
/// Inode of the file | ||
inode: u64, | ||
// Path contains the file name for file backed mappings | ||
path: Option<String>, | ||
} | ||
|
||
bitflags! { | ||
#[derive(Default)] | ||
pub struct MPermissions: PermFlag { | ||
/// No permissions | ||
const NONE = 0; | ||
/// Read permission | ||
const READ = 1 << 0; | ||
/// Write permission | ||
const WRITE = 1 << 1; | ||
/// Execute permission | ||
const EXECUTE = 1 << 2; | ||
/// Memory is shared with another process. | ||
/// Mutually exclusive with PRIVATE. | ||
const SHARED = 1 << 3; | ||
/// Memory is private (and copy-on-write) | ||
/// Mutually exclusive with SHARED. | ||
const PRIVATE = 1 << 4; | ||
} | ||
} | ||
|
||
impl MPermissions { | ||
fn from_str(s: &str) -> Result<Self> { | ||
if s.len() != 4 { | ||
bail!("Permission length {}", s.len()); | ||
} | ||
let mut permissions = MPermissions::NONE; | ||
for (_, c) in s.chars().enumerate() { | ||
match c { | ||
'r' => permissions |= MPermissions::READ, | ||
'w' => permissions |= MPermissions::WRITE, | ||
'x' => permissions |= MPermissions::EXECUTE, | ||
'p' => permissions |= MPermissions::PRIVATE, | ||
's' => permissions |= MPermissions::SHARED, | ||
_ => continue, | ||
} | ||
} | ||
Ok(permissions) | ||
} | ||
} | ||
|
||
/// Parse mapping | ||
pub fn parse_mapping(pid: u32) -> Result<Vec<Mapping>> { | ||
// Read the maps from file | ||
let maps = read_to_string(format!("/proc/{}/maps", pid))?; | ||
let mut ret: Vec<Mapping> = Vec::with_capacity(maps.len()); | ||
for line in maps.lines() { | ||
if let Ok(m) = parse_mapping_line(line) { | ||
ret.push(m) | ||
} | ||
} | ||
Ok(ret) | ||
} | ||
|
||
fn parse_mapping_line(line: &str) -> Result<Mapping> { | ||
let mut m = Mapping::default(); | ||
// Split fields with blanks | ||
let fields = line.split_whitespace().collect::<Vec<&str>>(); | ||
// Extract vaddr | ||
let vaddr: Vec<&str> = fields[0].split('-').collect(); | ||
m.vaddr_start = u64::from_str_radix(vaddr[0], 16)?; | ||
m.vaddr_end = u64::from_str_radix(vaddr[1], 16)?; | ||
m.perm = MPermissions::from_str(fields[1])?.bits(); | ||
m.offset = u64::from_str_radix(fields[2], 16)?; | ||
m.device_id = fields[3].to_string(); | ||
m.inode = fields[4].parse()?; | ||
m.path = fields.get(5).map(|s| s.to_string()); | ||
Ok(m) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
pub mod maps; | ||
pub mod process; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#[derive(Debug, Clone, Default)] | ||
pub struct ProcessInfo { | ||
pub pid: u32, | ||
pub cmdline: Option<String>, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
use edrivers::process::maps::parse_mapping; | ||
|
||
#[test] | ||
fn test_parse_mapping() { | ||
if let Ok(e) = parse_mapping(1) { | ||
assert_ne!(e.len(), 0); | ||
} else { | ||
panic!("parse mapping failed"); | ||
} | ||
} |