A running binary may link other binaries into its address space. These shared objects contain exported functions which may be used by the binary.
This artifact parses the /proc/
name: Linux.Sys.Maps
description: |
A running binary may link other binaries into its address
space. These shared objects contain exported functions which may be
used by the binary.
This artifact parses the /proc/<pid>/maps to emit all mapped files
into the process.
precondition: SELECT OS From info() where OS = 'linux'
parameters:
- name: processRegex
description: A regex applied to process names.
default: .
type: regex
sources:
- query: |
LET processes = SELECT Pid, Name, Username
FROM pslist()
WHERE Name =~ processRegex
SELECT Pid, Name, Username,
"0x" + Record.Start AS StartHex,
"0x" + Record.End AS EndHex,
Record.Perm AS Perm,
atoi(string="0x" + Record.Size) AS Size,
"0x" + Record.Size AS SizeHex,
Record.Filename AS Filename,
if(condition=Record.Deleted, then=TRUE, else=FALSE) AS Deleted
FROM foreach(
row=processes,
query={
SELECT parse_string_with_regex(
string=Line,
regex="(?P<Start>^[^-]+)-(?P<End>[^\\s]+)\\s+(?P<Perm>[^\\s]+)\\s+(?P<Size>[^\\s]+)\\s+[^\\s]+\\s+(?P<PermInt>[^\\s]+)\\s+(?P<Filename>.+?)(?P<Deleted> \\(deleted\\))?$") AS Record,
Pid, Name, Username
FROM parse_lines(
filename=format(format="/proc/%d/maps", args=[Pid]),
accessor='file'
)
})