process

package
v0.0.0-...-1cdf030 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 7, 2024 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	NAMESPACE_CORE  = "CORE\x00"
	NAMESPACE_LINUX = "LINUX\x00"

	NT_AUXV         elf.NType = 6
	NT_FILE         elf.NType = 0x46494c45
	NT_ARM_TLS      elf.NType = 0x401
	NT_ARM_PAC_MASK elf.NType = 0x406

	AT_PHDR         = 3
	AT_SYSINFO_EHDR = 33
)

Variables

This section is empty.

Functions

This section is empty.

Types

type CoredumpFile 

type CoredumpFile struct {

	// Name is the mapped file's name
	Name string
	// Mappings contains mappings regarding this file
	Mappings []CoredumpMapping
	// Base is the virtual address where this file is loaded
	Base uint64
	// contains filtered or unexported fields
}

CoredumpFile contains information about a file mapped into a coredump

func (*CoredumpFile) OpenELF 

func (cf *CoredumpFile) OpenELF() (*pfelf.File, error)

OpenELF opens the CoredumpFile as an ELF.

The returned `pfelf.File` is borrowing the coredump file. Closing it will not close the underlying CoredumpFile.

func (*CoredumpFile) ReadAt 

func (cf *CoredumpFile) ReadAt(p []byte, addr int64) (int, error)

ReadAt reads a file inside a core dump from given file offset.

type CoredumpMapping 

type CoredumpMapping struct {
	// Corresponding PT_LOAD segment
	Prog *pfelf.Prog
	// File is the backing file for this mapping
	File *CoredumpFile
	// FileOffset is the offset in the original backing file
	FileOffset uint64
}

CoredumpMapping describes a file backed mapping in a coredump

type CoredumpProcess 

type CoredumpProcess struct {
	*pfelf.File
	// contains filtered or unexported fields
}

CoredumpProcess implements Process interface to ELF coredumps

func OpenCoredump 

func OpenCoredump(name string) (*CoredumpProcess, error)

OpenCoredump opens the named file as a coredump.

func OpenCoredumpFile 

func OpenCoredumpFile(f *pfelf.File) (*CoredumpProcess, error)

OpenCoredumpFile opens the given `pfelf.File` as a coredump.

Ownership of the file is transferred. Closing the coredump closes the underlying file as well.

func (*CoredumpProcess) CalculateMappingFileID 

func (cd *CoredumpProcess) CalculateMappingFileID(m *Mapping) (libpf.FileID, error)

CalculateMappingFileID implements the Process interface

func (*CoredumpProcess) GetMachineData 

func (cd *CoredumpProcess) GetMachineData() MachineData

GetMachineData implements the Process interface

func (*CoredumpProcess) GetMappingFileLastModified 

func (cd *CoredumpProcess) GetMappingFileLastModified(_ *Mapping) int64

GetMappingFileLastModified implements the Process interface

func (*CoredumpProcess) GetMappings 

func (cd *CoredumpProcess) GetMappings() ([]Mapping, error)

GetMappings implements the Process interface

func (*CoredumpProcess) GetThreads 

func (cd *CoredumpProcess) GetThreads() ([]ThreadInfo, error)

GetThreadInfo implements the Process interface

func (*CoredumpProcess) MainExecutable 

func (cd *CoredumpProcess) MainExecutable() string

MainExecutable gets the file path from the mappings of the main executable.

func (*CoredumpProcess) OpenELF 

func (cd *CoredumpProcess) OpenELF(path string) (*pfelf.File, error)

OpenELF implements the ELFOpener and Process interfaces

func (*CoredumpProcess) OpenMappingFile 

func (cd *CoredumpProcess) OpenMappingFile(_ *Mapping) (ReadAtCloser, error)

OpenMappingFile implements the Process interface

func (*CoredumpProcess) PID 

func (cd *CoredumpProcess) PID() util.PID

PID implements the Process interface

type FileMappingEntry64 

type FileMappingEntry64 struct {
	Start, End, FileOffset uint64
}

FileMappingEntry64 is the per-mapping data header in CORE/NT_FILE note

type FileMappingHeader64 

type FileMappingHeader64 struct {
	Entries  uint64
	PageSize uint64
}

FileMappingHeader64 is the header for CORE/NT_FILE note

type MachineData 

type MachineData struct {
	// Machine is the Process Machine type
	Machine elf.Machine
	// CodePACMask contains the PAC mask for code pointers. ARM64 specific, otherwise 0.
	CodePACMask uint64
	// DataPACMask contains the PAC mask for data pointers. ARM64 specific, otherwise 0.
	DataPACMask uint64
}

MachineData contains machine specific information about the process

type Mapping 

type Mapping struct {
	// Vaddr is the virtual memory start for this mapping
	Vaddr uint64
	// Length is the length of the mapping
	Length uint64
	// Flags contains the mapping flags and permissions
	Flags elf.ProgFlag
	// FileOffset contains for file backed mappings the offset from the file start
	FileOffset uint64
	// Device holds the device ID where the file is located
	Device uint64
	// Inode holds the mapped file's inode number
	Inode uint64
	// Path contains the file name for file backed mappings
	Path string
}

Mapping contains information about a memory mapping

func (*Mapping) GetOnDiskFileIdentifier 

func (m *Mapping) GetOnDiskFileIdentifier() util.OnDiskFileIdentifier

func (*Mapping) IsAnonymous 

func (m *Mapping) IsAnonymous() bool

func (*Mapping) IsExecutable 

func (m *Mapping) IsExecutable() bool

func (*Mapping) IsMemFD 

func (m *Mapping) IsMemFD() bool

func (*Mapping) IsVDSO 

func (m *Mapping) IsVDSO() bool

type Note64 

type Note64 struct {
	Namesz, Descsz, Type uint32
}

ELF64 Note header.

type Process 

type Process interface {
	// PID returns the process identifier
	PID() util.PID

	// GetMachineData reads machine specific data from the target process
	GetMachineData() MachineData

	// GetMappings reads and parses process memory mappings
	GetMappings() ([]Mapping, error)

	// GetThreads reads the process thread states
	GetThreads() ([]ThreadInfo, error)

	// GetRemoteMemory returns a remote memory reader accessing the target process
	GetRemoteMemory() remotememory.RemoteMemory

	// OpenMappingFile returns ReadAtCloser accessing the backing file of the mapping
	OpenMappingFile(*Mapping) (ReadAtCloser, error)

	// GetMappingFileLastModifed returns the timestamp when the backing file was last modified
	// or zero if an error occurs or mapping file is not accessible via filesystem
	GetMappingFileLastModified(*Mapping) int64

	// CalculateMappingFileID calculates FileID of the backing file
	CalculateMappingFileID(*Mapping) (libpf.FileID, error)

	io.Closer

	pfelf.ELFOpener
}

Process is the interface to inspect ELF coredump/process. The current implementations do not allow concurrent access to this interface from different goroutines. As an exception the ELFOpener and the returned GetRemoteMemory object are safe for concurrent use.

func New 

func New(pid util.PID) Process

New returns an object with Process interface accessing it

func NewPtrace 

func NewPtrace(pid util.PID) (Process, error)

NewPtrace attaches the calling goroutine to the target PID using unix PTrace API. The goroutine is locked to a system thread due to the PTrace API requirements. WARNING: All usage of Process interface to this implementation should be from one goroutine. If this is not sufficient in future, the implementation should be refactored to pass all requests via a proxy goroutine through channels so that the kernel requirements are fulfilled.

type PrpsInfo64 

type PrpsInfo64 struct {
	State  uint8
	Sname  uint8
	Zombie uint8
	Nice   uint8
	Gap    uint32
	Flags  uint64
	UID    uint32
	GID    uint32
	PID    uint32
	PPID   uint32
	PGRP   uint32
	SID    uint32
	FName  [16]byte
	Args   [80]byte
}

PrpsInfo64 is the 64-bit NT_PRPSINFO note header

type ReadAtCloser 

type ReadAtCloser interface {
	io.ReaderAt
	io.Closer
}

ReadAtCloser interfaces implements io.ReaderAt and io.Closer

type ThreadInfo 

type ThreadInfo struct {
	// TPBase contains the Thread Pointer Base value
	TPBase uint64
	// GPRegs contains the CPU state (registers) for the thread
	GPRegs []byte
	// LWP is the Light Weight Process ID (thread ID)
	LWP uint32
}

ThreadInfo contains the information about a thread CPU state needed for unwinding

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.